Reshuffle6795
How to securely set parameter for changset without allowing user manipulation?
Hello!
I’m trying to make sure a parameter in my Phoenix changeset can only be set by the server during a POST request.
I have a blogs table with a user_id foreign key referencing the user who created each blog post. I’m using the standard Phoenix auth generator. My goal is to set the user_id in the changeset based on the current_user (retrieved from the fetch_current_user plug), but I want to make sure users can’t manually set this user_id by tampering with the request.
Is the controller the correct place to set user_id in the changeset, and how can this be done securely and while ideally adhering to DRY?
I hope my question is understandable.
Thanks in advance for any help!
Marked As Solved
kokolegorille
Hello and welcome,
You might use Ecto.build_assoc instead…
This change my create signature for blog, but I am sure user_id cannot be set via attrs
def create_blog(user, attrs) do
user
|> Ecto.build_assoc(:blogs)
|> Blog.changeset(attrs)
|> Repo.insert()
end
Also Liked
al2o3cr
A simple way is to build the struct with user_id explicitly, and not include it in the cast in the changeset:
%Blog{user_id: current_user.id}
|> Blog.changeset(attrs_from_user)
|> Repo.insert()
Nicodemus
You can also manually put changes on a changeset with put_change/3.
defmodule Myapp.Mycontext.Blog do
def create_changeset(blog, user, attrs) do
blog
|> cast(attrs, [:title, :body])
|> validate_required([:title, :body])
|> put_change(:user_id, user.id)
end
end
al2o3cr
put_assoc is going to put the new foo_id into changes on the changeset, so that validations etc can see it - the bare struct update won’t do that.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








