I'm having a hard time understanding strong params. I understand it prevents mass assignment of variables you don't permit. But in Hartl's tutorial I also read that without strong params someone could change for example any user's admin status through a patch request (which I guess isn't mass assignment, because that's just one value your would change). But then how do you implement strong params for variables that:
我很难理解强大的参数。我知道它阻止了你不允许的变量的大量分配。但在Hartl的教程中,我也读到,如果没有强大的params,任何人都可以通过一个补丁请求(我想这不是大量的任务,因为这只是一个值,你会改变)来改变任何用户的管理状态。但是,如何为变量实现强参数呢?
- Should only be allowed to be set once (when creating a new user)
- 只允许设置一次(创建新用户时)
- Some users should be able to change but others not
- 一些用户应该能够改变,但其他人不能。
For example, I have:
例如,我有:
private
def user_params
params.require(:user).permit(:email,
:username,
#:verified,
#:admin,
#:moderator,
#:activated,
#:activated_at,
:password,
:password_confirmation)
end
Now, the ones with a dash I understand should NOT be permitted. Otherwise users could change their values through mass assignment (or otherwise).
现在,我理解的那些带着破折号的人不应该被允许。否则,用户可以通过大量分配(或其他方式)更改其值。
However:
然而:
- An admin user (which is a specific user from the same table/controller) should be able to change these variables for all users.
- 管理用户(来自同一个表/控制器的特定用户)应该能够为所有用户更改这些变量。
- In the case of my app, organizations (a different table) should be able to give a user moderator rights and thus change these values for users.
- 在我的应用程序中,组织(一个不同的表)应该能够给予用户版主权限,从而改变用户的这些值。
- Username should only be set when a new user is created and after that should never be permitted to change. Now, by permitting username in strong_params doesn't that mean it is vulnerable to be changed through mass assignment?
- 用户名应该只在创建新用户时设置,之后不允许更改。现在,通过允许在strong_params中使用用户名,这并不意味着它很容易通过大量分配来改变吗?
How does strong params relate to these issues?
强大的params如何与这些问题联系在一起?
2 个解决方案
#1
0
While the simplest case is for user_params
to always do the same thing and be used by all calls to update_attributes
that is just the simplest case.
最简单的例子是user_params总是做相同的事情,并被所有对update_attributes的调用使用,这是最简单的情况。
It is perfectly sensible to permit based on the privileges of the current user or to have different permit lists for different actions (so maybe only the permit list used in the create action permits :username
).
基于当前用户的权限或针对不同的操作拥有不同的许可列表(所以可能只有在创建操作许可中使用的许可列表:用户名),这是完全合理的。
Another pattern you could consider is an Admin namespace for those with administrative access: Admin::UsersController
would allow more fields to be mutated and might expose more functionality or data that a normal user should not have access to.
您可以考虑的另一种模式是那些具有管理权限的人的管理名称空间:Admin::UsersController将允许更多的字段发生变化,并且可能会暴露一个普通用户不应该访问的更多的功能或数据。
#2
0
I'm no expert but as far as I can figure out: When you set up strong parameters you are typically controlling what gets passed into an update_attributes/create method. So you are defining what survives within:
我不是专家,但我能指出的是:当您设置强大的参数时,您通常会控制传递到update_attributes/create方法中的内容。所以你定义了生存在里面的东西:
params[:user][ ... ]
In the case of an admin
updating a user
, you don't need to POST a whole user object, you can simply make a call to a particular function that will change whichever user
attributes you want to change. In other words:
在管理员更新用户的情况下,您不需要发布整个用户对象,您可以简单地调用一个特定的函数,该函数将更改您想要更改的任何用户属性。换句话说:
$.ajax(
{ "method": "PUT", "url": "/users/" + uid },
{ "task": "make_admin" }
);
And in your controller:
和在你的控制器:
def update
if params[:task] == "make_admin" && user_is_authorized
User.find(params[:id]).admin = true
end
end
#1
0
While the simplest case is for user_params
to always do the same thing and be used by all calls to update_attributes
that is just the simplest case.
最简单的例子是user_params总是做相同的事情,并被所有对update_attributes的调用使用,这是最简单的情况。
It is perfectly sensible to permit based on the privileges of the current user or to have different permit lists for different actions (so maybe only the permit list used in the create action permits :username
).
基于当前用户的权限或针对不同的操作拥有不同的许可列表(所以可能只有在创建操作许可中使用的许可列表:用户名),这是完全合理的。
Another pattern you could consider is an Admin namespace for those with administrative access: Admin::UsersController
would allow more fields to be mutated and might expose more functionality or data that a normal user should not have access to.
您可以考虑的另一种模式是那些具有管理权限的人的管理名称空间:Admin::UsersController将允许更多的字段发生变化,并且可能会暴露一个普通用户不应该访问的更多的功能或数据。
#2
0
I'm no expert but as far as I can figure out: When you set up strong parameters you are typically controlling what gets passed into an update_attributes/create method. So you are defining what survives within:
我不是专家,但我能指出的是:当您设置强大的参数时,您通常会控制传递到update_attributes/create方法中的内容。所以你定义了生存在里面的东西:
params[:user][ ... ]
In the case of an admin
updating a user
, you don't need to POST a whole user object, you can simply make a call to a particular function that will change whichever user
attributes you want to change. In other words:
在管理员更新用户的情况下,您不需要发布整个用户对象,您可以简单地调用一个特定的函数,该函数将更改您想要更改的任何用户属性。换句话说:
$.ajax(
{ "method": "PUT", "url": "/users/" + uid },
{ "task": "make_admin" }
);
And in your controller:
和在你的控制器:
def update
if params[:task] == "make_admin" && user_is_authorized
User.find(params[:id]).admin = true
end
end