Reshuffle6795

Reshuffle6795

How to securely set parameter for changset without allowing user manipulation?

Hello!

I’m trying to make sure a parameter in my Phoenix changeset can only be set by the server during a POST request.

I have a blogs table with a user_id foreign key referencing the user who created each blog post. I’m using the standard Phoenix auth generator. My goal is to set the user_id in the changeset based on the current_user (retrieved from the fetch_current_user plug), but I want to make sure users can’t manually set this user_id by tampering with the request.

Is the controller the correct place to set user_id in the changeset, and how can this be done securely and while ideally adhering to DRY?

I hope my question is understandable.
Thanks in advance for any help!

Marked As Solved

kokolegorille

kokolegorille

Hello and welcome,

You might use Ecto.build_assoc instead…

This change my create signature for blog, but I am sure user_id cannot be set via attrs

def create_blog(user, attrs) do
  user
  |> Ecto.build_assoc(:blogs)
  |> Blog.changeset(attrs)
  |> Repo.insert()
end

Also Liked

al2o3cr

al2o3cr

A simple way is to build the struct with user_id explicitly, and not include it in the cast in the changeset:

%Blog{user_id: current_user.id}
|> Blog.changeset(attrs_from_user)
|> Repo.insert()
Nicodemus

Nicodemus

You can also manually put changes on a changeset with put_change/3.

defmodule Myapp.Mycontext.Blog do
  def create_changeset(blog, user, attrs) do
    blog
    |> cast(attrs, [:title, :body])
    |> validate_required([:title, :body])
    |> put_change(:user_id, user.id)
  end
end
al2o3cr

al2o3cr

put_assoc is going to put the new foo_id into changes on the changeset, so that validations etc can see it - the bare struct update won’t do that.

Where Next?

Popular in Questions Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
earth10
Hi, I’m just starting to build a side-project with Elixir and Phoenix and doing some basic test with Elixir alone. What strikes me is th...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Other popular topics Top

vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
Lily
In templates/appointment/index.html.eex: <%= for appointment <- @appointments do %> <tr> <td><%= appoi...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New

We're in Beta

About us Mission Statement