Cast_assoc is null?

idi527 · May 19, 2018, 10:57am

tl;dr

Just don’t put it into the params / changeset. Treat the params as an opaque data structure.

# in your controller

def create(conn, %{"magnet" => magnet_params}) do
    case Magnets.create_magnet(magnet_params, for: conn.assigns.current_user) do
      {:ok, magnet} ->
        conn
        |> put_flash(:info, "Magnet created successfully.")
        |> redirect(to: magnet_path(conn, :show, magnet))
      {:error, %Ecto.Changeset{} = changeset} ->
        render(conn, "new.html", changeset: changeset)
    end
end

# in your business logic module

def create_magnet(attrs, for: %User{id: user_id}) do
  %Magnet{user_id: user_id}
  |> Magnet.changeset(attrs)
  |> Repo.insert()
end

# in the module where you schema / changesets are defined
def changeset(manget, attrs) do
  magnet
  |> cast(attrs, [:title, :description, :content])
  |> validate_required([:title, :description, :content])
end

github.com/nccgroup/sobelow

casting foreign keys in ecto changesets

opened 08:49AM - 09 Mar 18 UTC

ghost

feature

👋 Not particularly phoenix related, but is it possible to catch if foreign ke…ys can be set from `params` passed in by a user through a controller action? Abusing different ecto `cast`s down the line (up the stack?) allows attackers to modify resources that don't belong to them. I've seen many phoenix projects do something like this ```elixir # controller def some_action(conn, params) do # ... Resources.create(params) # or update, or delete # ... end # schema / changeset schema "resources" do # ... belongs_to(:something, Something) # ... end def changeset(resource, attrs) do resource |> cast(attrs, [:something_id, ...]) # or cast_assoc(:something) # or put_assoc(:something) end # resources context def create(attrs) do %Resource{} |> Resource.changeset(attrs) |> Repo.insert() end ``` As a possible solution / suggestion: ```elixir # don't cast foreign keys in Resource.changeset # but pass them in Resources.create @spec create(attrs, for: pos_integer) :: {:ok, Resource.t} | {:error, Ecto.Changeset.t} def create(attrs, for: something_id) do %Resource{something_id: something_id} |> Resource.changeset(attrs) |> Repo.insert() end # or @spec create(attrs, for: Something.t) :: {:ok, Resource.t} | {:error, Ecto.Changeset.t} def create(attrs, for: %Something{id: something_id}) do %Resource{something_id: something_id} |> Resource.changeset(attrs) |> Repo.insert() end # controller action then becomes def some_action(conn, params) do # something or something_id are set by some plug (possibly based on user id) something = conn.assigns.something # or something_id = conn.assigns.something_id Resources.create(params, for: something) # ... end ```