Comments (6)
I enabled attribute whitelisting in 6b2c541 as a security measure after a vulnerability in Rails was made public. This patch inadvertently prevented data seeding, which I never noticed, since my local database was seeded long ago (and there are no tests for seeding data). Your workaround will allow data seeding but it should not be committed, lest you open a security hole in Adopt-a-Hydrant. This will be fixed in Rails 4 with strong parameters, which should allow unencumbered seeding of data, since attribute checking will move from the model to the controller.
from adopt-a-hydrant.
Hey Erik,
Thanks for the explanation. So I ran into this same issue when I tried to adopt a hydrant. I used an attr_accessible declaration for the user_id; otherwise the POST request wasn't working. How does the live site get around this issue?
from adopt-a-hydrant.
For all I know, it doesn't work in production. I pushed this change in the middle of June, when the site wasn't active for the winter. It may be broken now, but at least it's secure, right? :wink2:
I'll look into this when I get a chance. Maybe I'll add strong parameters, which is available to use in Rails 3.2 apps as a gem. Or maybe you could work on that?
from adopt-a-hydrant.
I'll take a look at strong parameters and update you on my progress.
from adopt-a-hydrant.
FWIW, I just got around the seed data problem by opening up the Thing model in the seeds file, and adding the attr_accessible
call there. Here's a commit for reference.
from adopt-a-hydrant.
Closing this after Erik's latest commit: 7004916. Thanks for fixing this Erik!
from adopt-a-hydrant.
Related Issues (20)
- Application does not work in IE7 HOT 4
- Unable to search on an address HOT 1
- Remove secret_token.rb now that the app is using secrets.yml HOT 3
- Main Heroku Instance Down HOT 1
- The project description in github has the wrong url HOT 1
- Text alerts
- Automatic Reminders HOT 1
- Force SSL (to protect passwords and personal info) HOT 4
- Feature Request: Show only current user's adopted hydrants HOT 2
- Bundle Install Not Working on Windows HOT 1
- git clone command listed in README HOT 2
- Update bootstrap to 3.3.2 HOT 2
- Create an AdoptA Rails Engine - or something like that HOT 1
- Magnifying and minimizing map using browser HOT 1
- No resources being loaded HOT 1
- More Hydrants on map by default HOT 2
- Scroll to Zoom In & Out HOT 2
- Running under Apache
- Seeding to Heroku Fails HOT 1
- Google Maps doesn't have an API key...
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from adopt-a-hydrant.