RubyForge: ActiveRBAC: Detail: 8268 password and password_confirmation should be attr

[#8268] password and password_confirmation should be attr_protected

Date:
2007-01-29 11:12 Priority:
3

Submitted By:
Daniel Weinand (dweinand) Assigned To:
Nobody (None)

Category:
None State:
Open

Summary:
password and password_confirmation should be attr_protected

Detailed description

or security sake, password should be protected from mass assigns IMO. For instance on my site we have a change password
link and an update user info link. The password link has the standard : old password, new password, confirm password
format. The update user info form doesnt have the option to update the password, just the email and other fields added.
If this were not protected, they would be able to change the password without confirming the old password.

In registration_controller.rb Get rid of ~22:

      params[:user][:password] = params[:password]
      params[:user][:password_confirmation] = params[:password_confirmation]

and add this below ~33

      @user = User.new(params[:user])

# these must be directly assigned now for security
@user.password = params[:password]
@user.password_confirmation = params[:password_confirmation]

Add A Comment:

Please login

Followup

No Followups Have Been Posted

Attached Files:

Name	Description	Download

No Files Currently Attached

[#8268] password and password_confirmation should be attr_protected

Please login

Followup

No Followups Have Been Posted

Attached Files:

Changes:

No Changes Have Been Made to This Item