How to securely set parameter for changset without allowing user manipulation?

Reshuffle6795 · October 27, 2024, 11:30pm

Hello!

I’m trying to make sure a parameter in my Phoenix changeset can only be set by the server during a POST request.

I have a blogs table with a user_id foreign key referencing the user who created each blog post. I’m using the standard Phoenix auth generator. My goal is to set the user_id in the changeset based on the current_user (retrieved from the fetch_current_user plug), but I want to make sure users can’t manually set this user_id by tampering with the request.

Is the controller the correct place to set user_id in the changeset, and how can this be done securely and while ideally adhering to DRY?

I hope my question is understandable.
Thanks in advance for any help!

kokolegorille · October 27, 2024, 11:45pm

Hello and welcome,

You might use Ecto.build_assoc instead…

This change my create signature for blog, but I am sure user_id cannot be set via attrs

def create_blog(user, attrs) do
  user
  |> Ecto.build_assoc(:blogs)
  |> Blog.changeset(attrs)
  |> Repo.insert()
end

al2o3cr · October 28, 2024, 1:03am

A simple way is to build the struct with user_id explicitly, and not include it in the cast in the changeset:

%Blog{user_id: current_user.id}
|> Blog.changeset(attrs_from_user)
|> Repo.insert()

sodapopcan · October 28, 2024, 2:39am

Oooo! Ok, so I have always wondered this.

Is there any difference between |> put_assoc(:foo, foo) and %__MODULE__{foo_id: foo.id}? There certainly is if you are doing an update since you then need %__MODULE__{foo | id: foo.id} but it’s still kind of the same thing.

This is just one of those things that I’ve always wondered because I used to always not use put_assoc but then eventually just started using it always. I have never encountered discrepancies between the two versions so I have never been able to confidently say that I know why I’m using one over the other.

Nicodemus · October 28, 2024, 5:50pm

You can also manually put changes on a changeset with put_change/3.

defmodule Myapp.Mycontext.Blog do
  def create_changeset(blog, user, attrs) do
    blog
    |> cast(attrs, [:title, :body])
    |> validate_required([:title, :body])
    |> put_change(:user_id, user.id)
  end
end

Reshuffle6795 · October 28, 2024, 5:57pm

Wow, I don’t know why I forgot about that, but you’re right, that seems to be by far the easiest way. Thank you!

Reshuffle6795 · October 28, 2024, 5:58pm

That also seems like a nice option, thanks!

Reshuffle6795 · October 28, 2024, 5:59pm

Alright, that also seems good, thanks!

al2o3cr · October 29, 2024, 2:49am

put_assoc is going to put the new foo_id into changes on the changeset, so that validations etc can see it - the bare struct update won’t do that.