password_confirmation is persisted

[jamesyu]

You should probably filter out password_confirmation in the Users#create params. Right now, it creates Users and exposes the password in the password_confirmation field on Users.

[adelevie]

Agreed. Should the fix be specific to this rails app or should the logic be
in parse_resource? It's tough balancing flexibility against having things
just work.

On Monday, April 16, 2012, James Yu wrote:

You should probably filter out password_confirmation in the Users#create
params. Right now, it creates Users and exposes the password in the
password_confirmation field on Users.

---

Reply to this email directly or view it on GitHub:
#1

[jamesyu]

Maybe the best way is to make it so that Parse Resource only respects fields which you explicitly define in the model. That way it's kinda like attr_accessible -- hackers won't be able to inject fields willy-nilly based on form params.

[adelevie]

Agreed. Safe by default is the way to go.

On Monday, April 16, 2012, James Yu wrote:

Maybe the best way is to make it so that Parse Resource only respects
fields which you explicitly define in the model. That way it's kinda like
attr_accessible -- hackers won't be able to inject fields willy-nilly based
on form params.

---

Reply to this email directly or view it on GitHub:

#1 (comment)