almirsarajcic
Programming Phoenix LiveView: security concerns (pages 180 and 196)
Forms on both pages contain this code user_id in hidden input field:
<%= hidden_input f, :user_id %>
There could be beginners reading the book that wouldn’t understand why this is bad approach, so I suggest you don’t use the user_id from the params, but instead use the one from the current_user when saving survey data.
Most Liked
vrcca
Agreed. I also found it pretty odd. This is how I did instead:
defp save_demographic(socket, params) do
params
|> assign_current_user_param(socket)
|> Survey.create_demographic()
|> case do
{:ok, demographic} ->
send(self(), {:created_demographic, demographic})
socket
{:error, %Ecto.Changeset{} = changeset} ->
assign(socket, :changeset, changeset)
end
end
defp assign_current_user_param(params, socket) do
Map.put(params, "user_id", socket.assigns.current_user.id)
end
Also got rid of the assignment and field entirely!
mwu
Another agreed here since hidden input fields are still visible client-side (in the code) so those values can be used by bad actors.
I did the same concept as @vrcca for save_demographic/2, and for save_rating/2:
For page 196, I removed the hidden input fields:
<%= hidden_input f, :user_id%>
<%= hidden_input f, :product_id%>
And modified save_rating/2 on page 199 to add user_id and product_id from the values already in the socket assigns (rather than from the hidden input field):
defp save_rating(
%{assigns: %{product_index: product_index, product: product}} = socket,
rating_params
) do
rating_params
|> add_user_id_param(socket)
|> add_product_id_param(socket)
|> Survey.create_rating()
|> case do
{:ok, %Rating{} = rating} ->
product = %{product | ratings: [rating]}
send(self(), {:created_rating, product, product_index})
socket
{:error, %Ecto.Changeset{} = changeset} ->
assign(socket, changeset: changeset)
end
end
defp add_user_id_param(rating_params, socket) do
Map.put(rating_params, "user_id", socket.assigns.current_user.id)
end
defp add_product_id_param(rating_params, socket) do
Map.put(rating_params, "product_id", socket.assigns.product.id)
end
Popular Pragmatic Bookshelf topics
Other popular topics
Categories:
Sub Categories:
Popular Portals
- /elixir
- /rust
- /ruby
- /wasm
- /erlang
- /phoenix
- /keyboards
- /python
- /js
- /rails
- /security
- /go
- /swift
- /vim
- /clojure
- /emacs
- /haskell
- /java
- /svelte
- /onivim
- /typescript
- /kotlin
- /c-plus-plus
- /crystal
- /tailwind
- /react
- /gleam
- /ocaml
- /elm
- /flutter
- /vscode
- /ash
- /html
- /opensuse
- /centos
- /php
- /zig
- /deepseek
- /scala
- /textmate
- /lisp
- /sublime-text
- /react-native
- /nixos
- /debian
- /agda
- /kubuntu
- /arch-linux
- /deno
- /django
- /revery
- /nodejs
- /ubuntu
- /spring
- /manjaro
- /diversity
- /lua
- /julia
- /c
- /slackware
Devtalk Sponsors
Practical resources that improve the lives of professional developers.
We build trusted fault-tolerant systems that scale to billions of users.
Real-time error tracking, performance insights, and observability for devs.
Supporting innovation across the BEAM ecosystem.
Develop your skills with books, videos, and courses.
Catch errors, track performance, monitor hosts and more.
Enabling companies to succeed by building software people love.
Courses that move you from confusion to "Aha, now I get it!"