can anypne help me out with mass assignment vulnerability solution.
Thanks
can anypne help me out with mass assignment vulnerability solution.
Thanks
If I understand the description from wikipedia correctly, then this is mitigated by carefully aplying changesets.
Hi Nobbz,
Thanks for reply. Can you please explain more about this solution.
Because You can specify what attributes are casted in a changeset, You can set attributes white list, which avoid mass assigment.
Also You can have multiple changesets, depending on what update You want to achieve.
So, no mass assigment problem
Specifically the cast function is used to specify which data from an input should be added to the struct.
@Abhishek14 To expand on what the others said - you probably have a def changeset
function for your schema, which you explicitly call in your context functions - eg `
def create_post(attrs) do
%Post{}
|> Post.changeset(attrs)
|> Repo.insert()
end
But there’s nothing special about those names. You could have a admin_create_post/1
which calls Post.admin_changeset/2
and does different casting and validations, or a restricted_create_post/1
which calls Post.restricted_changeset/2
, etc. You could call different changeset functions when creating and updating (or have your changeset/1
dispatch to different ones based on whether the record is persisted yet). It’s all up to you.
But basically, anytime you save data you get from a user, you should ensure that you pass the data through a changeset function which only accepts the data that the user should be allowed to give you.