Exposing the Vulnerability Devise and Rails Leave Open
You can easily verify the security hole in our application by creating a new user, signing out, changing that user’s email in the database, and logging back in using the new email and previous password. This problem may seem academic, but it’s more likely than you might think.
Even in a small company, there could be processes that access the database that aren’t part of our application, and so won’t benefit from the validations in our User model. Further, Rails itself provides methods like update_attribute that circumvent the validations, meaning a software bug could exist that used one of these methods and introduce a vulnerability.
How could this issue become a real problem? Consider ...
Get Rails, Angular, Postgres, and Bootstrap now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
