acts_as_audited security update

September 7, 2006 code 1 min read

Thanks to Michael Schuerig for pointing out that malicious users could unassociate your audit records due to the use of has\_many in acts\_as\_audited. has\_many :audits creates an attribute accessor called audit\_ids on the model objects that you declare acts\_as\_audited, which could allow users to pass an array of ids that would overwrite the actual audit records.

This has been fixed by adding attr\_protected :audit\_ids, which protects it from mass assignment. If you're not using SVN externals, make sure you get the latest version.

This content is open source. Suggest Improvements.


avatar of Brandon Keepers I am Brandon Keepers, and I work at GitHub on making Open Source more approachable, effective, and ubiquitous. I tend to think like an engineer, work like an artist, dream like an astronaut, love like a human, and sleep like a baby.