O'Reilly logo

Rails, Angular, Postgres, and Bootstrap, 2nd Edition by David B. Copeland

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Exposing the Vulnerability Devise and Rails Leave Open

You can easily verify the security hole in our application by creating a new user, signing out, changing that user’s email in the database, and logging back in using the new email and previous password. This problem may seem academic, but it’s more likely than you might think.

Even in a small company, there could be processes that access the database that aren’t part of our application, and so won’t benefit from the validations in our User model. Further, Rails itself provides methods like update_attribute that circumvent the validations, meaning a software bug could exist that used one of these methods and introduce a vulnerability.

How could this issue become a real problem? Consider ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required