Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Ruby

Posted by Tobias Wacker
Tobias Wacker
2,631 Points

Help! Why params[:status].delete(:user_id)?

I'm working through Ruby Rapids and so far everything has been great. However, I'm really confused by the section Building Social Features > Creating Friendships > What is a Join Table?

I don't understand the logic behind this code:

if params[:status] && params[:status].has_key?(:user_id)
params[:status].delete(:user_id)

So.. if the params has both :status AND :user_id, we are deleting the user_id. Why is is the presence of user_id a problem?

Thanks a lot!

3 Answers

Jim Hoskins
STAFF
Jim Hoskins
Treehouse Guest Teacher
Jim Hoskins
Jim Hoskins
Treehouse Guest Teacher

Here's the problem, if you allow someone to send the user_id when updating the status, they could change the form such that it will set the user_id to someone else's user id. If that's allowed, it's effectively allowing people to create a status that looks like it was posted by someone else.

By removing the user_id, we are saying you could update the content of the message, but not "who" posted the message.

This is a common and important security concern. Earlier this year github was bit by a similar error, where you can add authentication keys to your account, but you could also change the owner of that key. So you could upload your key, and say it belongs to someone else, and then your key worked on that other account. They fixed it, and it's important to consider such security issues in your apps, be they ruby on rails or anything else.

ecp
ecp
838 Points
ecp
ecp
838 Points

Great questions! Good idea to post this on the Forum :D

I'll be getting in touch with Jim and Jason about this Forum post shortly, but would you be able to email us at help@teamtreehouse.com with screenshots or links to the code challenges you've had difficulties with - and maybe a bit more detail? We're happy to help :)

Neill dev
PLUS
Neill dev
Courses Plus Student 23,163 Points
Neill dev
Neill dev
Courses Plus Student 23,163 Points

HI Jim, I was also confused when watching the video regarding the purpose of this code, but I am using rails 4. From your explanation above and my understanding of stong params...the above code snippit from Tobias is no longer necessary and the same result can be achieved by removing user_id from the white list?

Is that correct? or have I missed something...

Cheers Neill