Security - Filter attributes when creating user with Devise

My concern is about the possibility for a malicious user to add an extra parameter when he registers on my site. I'm using Rails 3.2.8 and Devise 2.1.2. I have a class User with an admin attribute

user.rb

class User < ActiveRecord::Base
  devise :database_authenticatable, :registerable, :recoverable, :trackable,
     :validatable, :token_authenticatable, :lockable
end

schema.rb

create_table "users", :force => true do |t|
  t.boolean  "admin"
  t.string   "email",                                  :null => false
  t.string   "encrypted_password",     :default => "", :null => false
  # other devise columns are not relevant for the question...
end

I'm using the provided Devise::RegistrationsController for the registration of a User, and a custom view with email and password:

<%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
  <%= devise_error_messages! %>

  <div class="form_line">
    <%= f.label :email, 'Email' %>
    <%= f.email_field :email %>
  </div>
  <div class="form_line">
    <%= f.label :password, 'Password' %>
    <%= f.password_field :password %>
  </div>
  <div class="form_line">
    <%= f.label :password_confirmation, 'Password confirmation' %>
    <%= f.password_field :password_confirmation %>
  </div>

  <div class="actions">
    <%= f.submit "Register", class: 'button' %>
  </div>
<% end %>

I works perfectly, but a if a malicious user adds a parameter admin with value true in the post request, the user is created with the admin privileges.

Started POST "/users" for 127.0.0.1 at 2012-09-10 18:46:15 +0200
Processing by RegistrationsController#create as HTML
  Parameters: { "user"=>{"email"=>"test@example.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "admin"=>"true" }

That's a security weakness in my site. Can I configure Devise to ignore extra parameters (I need only email and password) when a user registers (or updates its profile, I think I'll have the same problem) ? If it's not possible, is there another solution ?

Answers


You need to protect the admin field from mass-assignment. You should add this to your model: attr_protected :admin

Read more here: http://apidock.com/rails/v3.2.8/ActiveModel/MassAssignmentSecurity/ClassMethods/attr_protected


Need Your Help

Stop/Run windows service and building a solution

.net msbuild windows-services build-process automation

I'd like to have a script that stops a certain windows service,build or rebuild a solution and runs the service after the build process finished.

Which classes cannot be subclassed?

python class inheritance python-3.x language-design

Is there any rule about which built-in and standard library classes are not subclassable ("final")?

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.