almirsarajcic

almirsarajcic

Programming Phoenix LiveView: security concerns (pages 180 and 196)

Forms on both pages contain this code user_id in hidden input field:

<%= hidden_input f, :user_id %>

There could be beginners reading the book that wouldn’t understand why this is bad approach, so I suggest you don’t use the user_id from the params, but instead use the one from the current_user when saving survey data.

Most Liked

vrcca

vrcca

Agreed. I also found it pretty odd. This is how I did instead:

  defp save_demographic(socket, params) do
    params
    |> assign_current_user_param(socket)
    |> Survey.create_demographic()
    |> case do
      {:ok, demographic} ->
        send(self(), {:created_demographic, demographic})
        socket

      {:error, %Ecto.Changeset{} = changeset} ->
        assign(socket, :changeset, changeset)
    end
  end

  defp assign_current_user_param(params, socket) do
    Map.put(params, "user_id", socket.assigns.current_user.id)
  end

Also got rid of the assignment and field entirely!

mwu

mwu

Another agreed here since hidden input fields are still visible client-side (in the code) so those values can be used by bad actors.

I did the same concept as @vrcca for save_demographic/2, and for save_rating/2:


For page 196, I removed the hidden input fields:

<%= hidden_input f, :user_id%>
<%= hidden_input f, :product_id%>

And modified save_rating/2 on page 199 to add user_id and product_id from the values already in the socket assigns (rather than from the hidden input field):

defp save_rating(
       %{assigns: %{product_index: product_index, product: product}} = socket,
       rating_params
     ) do
  rating_params
  |> add_user_id_param(socket)
  |> add_product_id_param(socket)
  |> Survey.create_rating()
  |> case do
    {:ok, %Rating{} = rating} ->
      product = %{product | ratings: [rating]}
      send(self(), {:created_rating, product, product_index})
      socket
  
    {:error, %Ecto.Changeset{} = changeset} ->
      assign(socket, changeset: changeset)
  end
end
  
defp add_user_id_param(rating_params, socket) do
  Map.put(rating_params, "user_id", socket.assigns.current_user.id)
end
  
defp add_product_id_param(rating_params, socket) do
  Map.put(rating_params, "product_id", socket.assigns.product.id)
end

Where Next?

Popular Pragmatic Bookshelf topics Top

New
swlaschin
The book has the same “Problem space/Solution space” diagram on page 18 as is on page 17. The correct Problem/Solution space diagrams ar...
New
adamwoolhether
I’m not quite sure what’s going on here, but I’m unable to have to containers successfully complete the Readiness/Liveness checks. I’m im...
New
tkhobbes
After some hassle, I was able to finally run bin/setup, now I have started the rails server but I get this error message right when I vis...
New
a.zampa
@mfazio23 I’m following the indications of the book and arriver ad chapter 10, but the app cannot be compiled due to an error in the Bas...
New
dtonhofer
@parrt In the context of Chapter 4.3, the grammar Java.g4, meant to parse Java 6 compilation units, no longer passes ANTLR (currently 4....
New
bjnord
Hello @herbert ! Trying to get the very first “Hello, Bracket Terminal!" example to run (p. 53). I develop on an Amazon EC2 instance runn...
New
gorkaio
root_layout: {PentoWeb.LayoutView, :root}, This results in the following following error: no “root” html template defined for PentoWeb...
New
dachristenson
I just bought this book to learn about Android development, and I’m already running into a major issue in Ch. 1, p. 20: “Update activity...
New
dachristenson
@mfazio23 Android Studio will not accept anything I do when trying to use the Transformations class, as described on pp. 140-141. Googl...
New

Other popular topics Top

malloryerik
Any thoughts on Svelte? Svelte is a radical new approach to building user interfaces. Whereas traditional frameworks like React and Vue...
New
Exadra37
I am thinking in building or buy a desktop computer for programing, both professionally and on my free time, and my choice of OS is Linux...
New
PragmaticBookshelf
Design and develop sophisticated 2D games that are as much fun to make as they are to play. From particle effects and pathfinding to soci...
New
AstonJ
There’s a whole world of custom keycaps out there that I didn’t know existed! Check out all of our Keycaps threads here: https://forum....
New
AstonJ
This looks like a stunning keycap set :orange_heart: A LEGENDARY KEYBOARD LIVES ON When you bought an Apple Macintosh computer in the e...
New
Margaret
Hello content creators! Happy new year. What tech topics do you think will be the focus of 2021? My vote for one topic is ethics in tech...
New
Maartz
Hi folks, I don’t know if I saw this here but, here’s a new programming language, called Roc Reminds me a bit of Elm and thus Haskell. ...
New
mafinar
This is going to be a long an frequently posted thread. While talking to a friend of mine who has taken data structure and algorithm cou...
New
AstonJ
If you want a quick and easy way to block any website on your Mac using Little Snitch simply… File &gt; New Rule: And select Deny, O...
New
New

Sub Categories: