acts_as_audited security update
Thanks to Michael Schuerig for pointing out that malicious users could unassociate your audit records due to the use of has_many in acts_as_audited. has_many :audits creates an attribute accessor called audit_ids on the model objects that you declare acts_as_audited, which could allow users to pass an array of ids that would overwrite the actual audit records.
This has been fixed by adding attr_protected :audit_ids, which protects it from mass assignment. If you’re not using SVN externals, make sure you get the latest version.
2 Comments
it appears that the introduction of the attr_protected :audit_ids, wreaks havoc on my test suite. When the acts_as_audited plugin is used in conjunction with the restful_authentication plugin (and you are auditing the User model), all of the tests bomb with the following error:
RuntimeError: Declare either attr_protected or attr_accessible for User, but not both.
If I comment out the attr_protected :audit_ids line in the acts_as_audited.rb file, then the errors go away. I am trying to figure out a way to fix this without leaving the security hole mentioned above, but I wanted to throw this out there to see if anyone else had run into this, and could offer a possible solution.
Zac,
It isn’t just a test stopper. I have a model to audit that bombs in the run because it has several attr_accessible attributes.