Mass assignment protection out of the box

45 views
Skip to first unread message

karlo...@gmail.com

unread,
Jun 23, 2018, 5:16:32 AM6/23/18
to phoenix-talk
Hi!

I am proposing this feature, based on Ruby on Rails permit parameter.

Here is explanation.

In Ruby on Rails, if permit is not called on parameters, database items can not be created/updated.
With permit, developer sets which parameters could be updated.
E.g. on user registration that could be :email, :password, :username.

So if hacker tries to update all possible database attributes using curl, e.g. for user registration token activation time, this would fail.

In phoenix, call to cast method on changeset, should be made mandatory.

Regards, Karlo.

Chris McCord

unread,
Jun 23, 2018, 2:30:19 PM6/23/18
to phoeni...@googlegroups.com
Phoenix uses Ecto to handle user input by default, and Ecto requires you to pass the cast-able fields when calling cast, so this is already part of the contract.

--
You received this message because you are subscribed to the Google Groups "phoenix-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phoenix-talk...@googlegroups.com.
To post to this group, send email to phoeni...@googlegroups.com.
Visit this group at https://groups.google.com/group/phoenix-talk.
To view this discussion on the web visit https://groups.google.com/d/msgid/phoenix-talk/784efeaf-6acd-4e5c-8e42-fa64ebd7d6f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

karlo...@gmail.com

unread,
Jun 23, 2018, 3:14:54 PM6/23/18
to phoenix-talk
Hi!

My idea was to make calling cast method mandatory.
That Ecto refuses to do any model operation if changeset was not created using cast method.

Is this possible to do?

Thanks!

Regards, Karlo.

Michał Muskała

unread,
Jun 24, 2018, 2:54:46 AM6/24/18
to phoenix-talk
I would say that this already happens. The only way you could "bypass" cast is by building the changeset/struct field-by-field but then you filter the fields you allow already. There has to be some intermediary step (be it cast or some other filtering), because the params come with string keys, but structs and change sets accept atom keys. It's not possible to just pass whole params to the database.

Michał.
Reply all
Reply to author
Forward
0 new messages