LostKobrakai

LostKobrakai

32) ElixirConf 2017: Plugging the Security Holes in Your Phoenix Application

After having watched the talk I’m wondering if this would also be a good opportunity to gather examples / tips about how to prevent or mitigate the mentioned issues. I’d expect the e.g. for the mentioned session issue there might already be examples out there. Also I’m especially curious about the last topic on mass assignment. How do you guys handle changesets which are allowed to change things like admin flags or alike, so at best they’re not accidentally usable from any frontend forms.

Most Liked

LostKobrakai

LostKobrakai

I’ll start by adding my captain obvious solution to prevent accidental changes to admin flag fields: Don’t handle it through the params sent to changeset/2, but only allow them to be changed by custom functions.

def make_admin(%User{} = user) do
  user
  |> Ecto.Changeset.change(%{is_admin: true})
  |> Repo.update()
end

def put_admin_flag(%Ecto.Changeset{} = changeset) do
  Ecto.Changeset.change(changeset, %{is_admin: true})
end

This way in each places, where setting that flag should indeed be possible it has to be done explicitly, independent to any changeset/2 functions/params.

benwilson512

benwilson512

Author of Craft GraphQL APIs in Elixir with Absinthe

One person’s duplication is another’s de-coupling. :slight_smile:

griffinbyatt

griffinbyatt

I’ll comment with some of my thoughts a bit later when I have some more time. Until then, I wanted to say thanks for posting, and I’m happy to answer questions about the content if anyone has any!

Where Next?

Popular in Talks Top

axelson
ElixirConf 2017 - Streaming Video with Elixir - @johnwahba Running a video stream is challenging. You can’t ...
New
axelson
ElixirConf 2017 - Elixir by the Bellyful - @bryanhunter Elixir makes me happy! Since 2007 I have been on the...
New
kokolegorille
Lonestar Elixir 2018 videos are starting to pop up :slight_smile: https://www.youtube.com/channel/UCOy-_b9bqjokoWX9Hg5ZgUg Day 1 Chris ...
New
axelson
Here’s today’s talk: ElixirConf 2017 - Don’t Write Macros But Do Learn How They Work - by @jessejanderson ...
New
axelson
ElixirConf 2017 - Live APIs with GraphQL Subscriptions - @bruce and @benwilson512 APIs have gone live with G...
New
axelson
ElixirConf 2017 - Its Better Unstated - @tjstankus This is a story about transitioning an obsession with obj...
New
New
rodrigues
Whether you’re developing a small web site or a large-scale distributed system, Erlang and Elixir are great tools for building server-sid...
New
AstonJ
File uploads are an essential part of many web applications, but often handling them can be tricky, which explains why they are one of th...
New
axelson
ElixirConf 2017 - Closing Keynote - @chrismccord All talks are available in the Elixir Conf 2017 Talks List o...
New

Other popular topics Top

malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
Lily
In templates/appointment/index.html.eex: <%= for appointment <- @appointments do %> <tr> <td><%= appoi...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New

We're in Beta

About us Mission Statement