LostKobrakai

LostKobrakai

32) ElixirConf 2017: Plugging the Security Holes in Your Phoenix Application

After having watched the talk I’m wondering if this would also be a good opportunity to gather examples / tips about how to prevent or mitigate the mentioned issues. I’d expect the e.g. for the mentioned session issue there might already be examples out there. Also I’m especially curious about the last topic on mass assignment. How do you guys handle changesets which are allowed to change things like admin flags or alike, so at best they’re not accidentally usable from any frontend forms.

Most Liked

LostKobrakai

LostKobrakai

I’ll start by adding my captain obvious solution to prevent accidental changes to admin flag fields: Don’t handle it through the params sent to changeset/2, but only allow them to be changed by custom functions.

def make_admin(%User{} = user) do
  user
  |> Ecto.Changeset.change(%{is_admin: true})
  |> Repo.update()
end

def put_admin_flag(%Ecto.Changeset{} = changeset) do
  Ecto.Changeset.change(changeset, %{is_admin: true})
end

This way in each places, where setting that flag should indeed be possible it has to be done explicitly, independent to any changeset/2 functions/params.

benwilson512

benwilson512

Author of Craft GraphQL APIs in Elixir with Absinthe

One person’s duplication is another’s de-coupling. :slight_smile:

griffinbyatt

griffinbyatt

I’ll comment with some of my thoughts a bit later when I have some more time. Until then, I wanted to say thanks for posting, and I’m happy to answer questions about the content if anyone has any!

Where Next?

Popular in Talks Top

axelson
ElixirConf 2017 - Elixir by the Bellyful - @bryanhunter Elixir makes me happy! Since 2007 I have been on the...
New
santosh79
Hi Group, Does anyone have suggestions on a video or talk they had seen at a conference that covered OTP (in Elixir) starting from the b...
New
kokolegorille
Lonestar Elixir 2018 videos are starting to pop up :slight_smile: https://www.youtube.com/channel/UCOy-_b9bqjokoWX9Hg5ZgUg Day 1 Chris ...
New
axelson
ElixirConf US 2018 – You Can Never Debug the Code You Run, But You Can View the Code the Debugger is Running – Luke Imhoff (@KronicDeth) ...
New
ShalokShalom
So, there is another Erlang VM on the way :hugs:
New
blatyo
Looks like videos have started to go up for ElixirConf US 2018. Here’s the playlist of ones available so far. I expect it’ll get updated ...
New
CodeSync
Code Sync: Vaxine, the Rich CRDT Database for ElixirPhoenix Apps | James Arthur | Code BEAM America 2022 Comments welcome! View the <spa...
New
axelson
ElixirConf US 2018 – Building Video Chat with Elixir &amp; Phoenix – Anil Wadghule (@anildigital) In this t...
New
axelson
ElixirConf 2017 - Elixir The Toyota Way - Powell Kinney Toyota has a century-long legacy of innovation in ma...
New
axelson
by @jola Can you write a performant string processing scripts in Elixir? This talk attempts to answer that question while incrementally...
New

Other popular topics Top

vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

We're in Beta

About us Mission Statement