how to protect attributes from mass assignement - ruby-on-rails-3

Hi I have a NOOB question in light of what happend at GITHUB with their application being exploited because of the security hole in Rails.
What is the best way to protect object attributes in Rails but still allow them to be assigned values where applicable?
Thanks

Actually Rails 3.1 has added new built-in ways to handle mass-assignment with roles which is probably something that you want to take a look at.
Release notes here
Basically it works like this:
class User < ActiveRecord::Base
attr_accessible :name
attr_accessible :name, :role, :as => :admin
end
What this enables you to do is that you can use the following way to allow the user to update his own information in one of your controllers:
#user.update_attributes(params[:user])
And that usage can never update the :role attribute in the User model. But when you have your admin users managing the roles in a separate controller, then you can user the following syntax:
#user.update_attributes(params[:user], :as => :admin)
And that will allow the :role attribute to be updated as well

Related

Rails 4.0 - Nested Attributes with Devise

I am using Rails 4.0 and would like to use Devise for my sign-up/sign-out/etc.
However, on my sign-up page I would like to have fields not only from the user model that devise creates but also another model that users have a relationship with (organizations in this case).
I have setup associations on the models for user and organization like so:
user.rb
has_one :organization
accepts_nested_attributes_for :organization
organization.rb
belongs_to :user
Any ideas on how to make this happen? I tried overriding the registration controller for devise but haven't had any luck.
You need to override the views and insert a fields_for block for that :organization association. Run rails generate devise:views and look for the new view files in your app/views/devise directory.

Rails application design, user-dependent routing and content

I'm currently building a rails application that contains 3 user types. This is my first experience with web development, and I would like to avoid making crucial design errors that will cost me later on. Hopefully more experienced rails users and web developers will be able to guide me in the right direction.
I want to use Devise as my primary authentication system, and I am currently planning something like this in order to support 3 user-types within the Devise framework:
class User < ActiveRecord::Base
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
attr_accessible :email, :password, :password_confirmation, :remember_me
belongs_to :rolable, :polymorphic => true
end
For each of the three user-types:
# usertype1.rb
class UserType1 < ActiveRecord::Base
has_one :user, :as => :rolable
end
# usertype2.rb
class UserType2 < ActiveRecord::Base
has_one :user, :as => :rolable
end
Essentially, there is a polymorphic association between the user class and the several different user types. My hope is that this approach will allow me to eventually add different associative keywords within the user-type models (such as has-many) that will allow convenient querying of the database.
I'm also concerned about how to implement user-dependent routing. The idea is that each user-type will see a separate "hub" when they log-in, with different dashboards, different actions, etc. I was thinking that I would approach this by overriding the Devise SessionsController. Something like this:
class SessionsController < ApplicationController
def new
end
def create
user = User.find_by_email(params[:email])
if user && user.authenticate(params[:password])
session[:user_id] = user.id
if user.type == 1
redirect_to hub_typeone
else if user.type == 2
redirect_to hub_typetwo
else
redirect_to hub_typethree
else
flash.now.alert = "Email or password is invalid"
render "new"
end
end
def destroy
session[:user_id] = nil
redirect_to root_url, notice: "Logged out!"
end
end
The idea is that upon successful authentication, the user is routed to a different page based on user type. I'm planning on using the devise current_user framework to then query the database to populate the hubs with the user-specific data.
Do you guys have any pointers for me? Do you see any huge flaws in my plans/reasoning/approach? Thanks in advance!
I get a feeling you are over-engineering this, and building something You Aren't Gonna Need It
It's best if you are clear about what the three different user types are. Most applications would require the following three user types:
Guest users, who aren't logged in, and can access some part of the application
Regular users
Admin users who administer the rights of regular users.
I am curious to know what other user types you would need if they are not in this list.
Devise wikipages has suggestions on how to create a guest user, and how to add an admin role. Probably best to start by implementing the functionality of the regular users of your application, and then use the above mentioned resources to add other user types.

Can "belongs_to" be defined more than once in Active_Record?

I am trying to write a database for a company in town. I am using Devise for authentication, and Forem for the forums of the site. I decided to just have one class, "Account" for the Devise authentication, which will have many different access types to the site.
The bulk of the users will be just customers, which are segregated by routes (not Rails routes, street routes). So I decided to have them have their own profile model.
I want to do this - Profile is linked to account, and to route. (Routes are named gmr_routes)
Is this code the proper way to do it? Documentation I've found hasn't told me I can't, but I just want to be sure....
class Profile < ActiveRecord::Base
attr_accessible :first_name, :last_name, :phone_number, :street_address
belongs_to :account
belongs_to :gmr_route
end
Account has a has_one relationship with Profile, and gmr_route has a has_many.
Is this right?
Bryan
Yes, that's perfectly acceptable. You need to remember to include a foreign key id on any model with a belongs_to.
So in the case you describe, you would have account_id:integer and gmr_route_id:integer in your migration, and include those in the attr_accessible call in your model

Best way to model users that have roles with differing attributes in Rails?

I'm a Rails noob and am hoping someone can help me wrap my head around this issue. I have an app that has a single User model using Authlogic for authentication and CanCan for authorization. There are three roles: Consumer, Business, and Admin. A user can have any number of these roles.
Businesses have additional attributes, however, and I need to model this such that I can add roles that each have potentially different attributes. Instinct tells me that I need to have a separate model to represent each role's attributes, i.e. BusinessRoleProfile, ConsumerRoleProfile, etc and then maybe mixin a module programmatically that adds the appropriate has_one reference(s) to the profile model(s).
Is this the best way to handle the separate attributes? If so, can someone guide me through how to dynamically include those mixins based on what role the user has?
EDIT:
Did some more research, this may help you. https://github.com/thefrontiergroup/scoped_attr_accessible
Looks like you can do things like:
class User < ActiveRecord::Base
# All attributes are accessible for the admin scope.
attr_accessible :all, :scope => :admin
# The default scope can only access a and b.
attr_accessible :a, :b
# Make both :c and :d accessible for owners and the default scope
attr_accessible :c, :d, :scope => [:owner, :default]
# Also, it works the same with attr_protected!
attr_protected :n, :scope => :default
end
OLD ANSWER
Looks like it may be featured in CanCan 2.0.
https://github.com/ryanb/cancan/issues/326

Rails and Devise - Add a Field To Log-In

I have set up a blog with secure log-in using the Devise plugin and its working well. I'm going to add an additional 'username' field at sign-up and article posts will then display this info. How do I achieve this so the username goes into the db - any code help would be appreciated?
User names will need to be unique but I will look into this later.
As the Devise wiki sez:
Create a migration
rails generate migration add_username_to_users username:string
Run the migration
rake db:migrate
Modify the User model and add username to attr_accessible
attr_accessible :username
more info here
For uniqueness you could just do a validation on the User model
Hope this helps!
Okay so you have 2 questions in the same topic.
The first one has been answered and you followed these steps: Add custom fields to devise
Then for your next question: the problem isn't the user but #article because this variable is nil. So Rails can't find the User related to something that is nil.
You should post your controller and your _article view so I can help further.
Also I don't understand what you meant by :
I changed the object from 'email' to 'username' to stop it showing the submitters email address in the article
..You can choose whatever you want to display without replacing anything. If you want to display the user's username, just do user.username
add belongs_to :user in your article.rb and has_many :articles to your user.rb
update your migration of article to include a user_id:integer field (or use t.references :user)
update your ArticlesController#create action to use current_user.create_article or build_article
be sure to invoke the authenticate_user! before_filter for the :create action
before_filter :authenticate_user!, only => :only => [:new, :create, :edit, :update, :destroy]
ref:
http://guides.rubyonrails.org/association_basics.html