Rails 3: Back to basics with attr_accessible

Recently I was working on a project that contained a few *security flaws* in allowing all columns for a particular model to be accessed via forms in the application.

To rectify the issue, we not only needed to have a better management of setting associations, but also fixing potential injection problems. 

What is attr_accessible?
attr_accessible allows you to specify which attributes of a model can be altered via mass-assignment (update_attributes(attrs) or new(attrs))

Let’s take a look at an example.

In the above example, the form is opened up to allowing the admin flag to be submitted. What if the user being created isn’t supposed to be an admin?¬†

Let’s look at an example fixing this mass-assignment security hole:

The above shows us having better control in the application of setting the admin flag instead of allowing it to be maliciously set via HTTP requests. This security flaw has forced the Rails community to develop (in Rails 4) a new way of mass assigning attributes using Strong Parameters

This exercise was beneficial to me and the team I work with to button up any other security holes the app may be vulnerable too. Hope this helps!

Happy hunting!