almirsarajcic

almirsarajcic

Programming Phoenix LiveView: security concerns (pages 180 and 196)

Forms on both pages contain this code user_id in hidden input field:

<%= hidden_input f, :user_id %>

There could be beginners reading the book that wouldn’t understand why this is bad approach, so I suggest you don’t use the user_id from the params, but instead use the one from the current_user when saving survey data.

Most Liked

vrcca

vrcca

Agreed. I also found it pretty odd. This is how I did instead:

  defp save_demographic(socket, params) do
    params
    |> assign_current_user_param(socket)
    |> Survey.create_demographic()
    |> case do
      {:ok, demographic} ->
        send(self(), {:created_demographic, demographic})
        socket

      {:error, %Ecto.Changeset{} = changeset} ->
        assign(socket, :changeset, changeset)
    end
  end

  defp assign_current_user_param(params, socket) do
    Map.put(params, "user_id", socket.assigns.current_user.id)
  end

Also got rid of the assignment and field entirely!

mwu

mwu

Another agreed here since hidden input fields are still visible client-side (in the code) so those values can be used by bad actors.

I did the same concept as @vrcca for save_demographic/2, and for save_rating/2:


For page 196, I removed the hidden input fields:

<%= hidden_input f, :user_id%>
<%= hidden_input f, :product_id%>

And modified save_rating/2 on page 199 to add user_id and product_id from the values already in the socket assigns (rather than from the hidden input field):

defp save_rating(
       %{assigns: %{product_index: product_index, product: product}} = socket,
       rating_params
     ) do
  rating_params
  |> add_user_id_param(socket)
  |> add_product_id_param(socket)
  |> Survey.create_rating()
  |> case do
    {:ok, %Rating{} = rating} ->
      product = %{product | ratings: [rating]}
      send(self(), {:created_rating, product, product_index})
      socket
  
    {:error, %Ecto.Changeset{} = changeset} ->
      assign(socket, changeset: changeset)
  end
end
  
defp add_user_id_param(rating_params, socket) do
  Map.put(rating_params, "user_id", socket.assigns.current_user.id)
end
  
defp add_product_id_param(rating_params, socket) do
  Map.put(rating_params, "product_id", socket.assigns.product.id)
end

Where Next?

Popular Pragmatic Bookshelf topics Top

brianokken
Many tasks_proj/tests directories exist in chapters 2, 3, 5 that have tests that use the custom markers smoke and get, which are not decl...
New
GilWright
Working through the steps (checking that the Info,plist matches exactly), run the demo game and what appears is grey but does not fill th...
New
Alexandr
Hi everyone! There is an error on the page 71 in the book “Programming machine learning from coding to depp learning” P. Perrotta. You c...
New
lirux
Hi Jamis, I think there’s an issue with a test on chapter 6. I own the ebook, version P1.0 Feb. 2019. This test doesn’t pass for me: ...
New
conradwt
First, the code resources: Page 237: rumbl_umbrella/apps/rumbl/mix.exs Note: That this file is missing. Page 238: rumbl_umbrella/app...
New
adamwoolhether
I’m not quite sure what’s going on here, but I’m unable to have to containers successfully complete the Readiness/Liveness checks. I’m im...
New
New
Henrai
Hi, I’m working on the Chapter 8 of the book. After I add add the point_offset, I’m still able to see acne: In the image above, I re...
New
jwandekoken
Book: Programming Phoenix LiveView, page 142 (157/378), file lib/pento_web/live/product_live/form_component.ex, in the function below: d...
New
tkhobbes
After some hassle, I was able to finally run bin/setup, now I have started the rails server but I get this error message right when I vis...
New

Other popular topics Top

Devtalk
Hello Devtalk World! Please let us know a little about who you are and where you’re from :nerd_face:
New
Exadra37
I am thinking in building or buy a desktop computer for programing, both professionally and on my free time, and my choice of OS is Linux...
New
AstonJ
You might be thinking we should just ask who’s not using VSCode :joy: however there are some new additions in the space that might give V...
New
Exadra37
On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a ...
New
dimitarvp
Small essay with thoughts on macOS vs. Linux: I know @Exadra37 is just waiting around the corner to scream at me “I TOLD YOU SO!!!” but I...
New
gagan7995
API 4 Path: /user/following/ Method: GET Description: Returns the list of all names of people whom the user follows Response [ { ...
New
AstonJ
We’ve talked about his book briefly here but it is quickly becoming obsolete - so he’s decided to create a series of 7 podcasts, the firs...
New
PragmaticBookshelf
Author Spotlight: Karl Stolley @karlstolley Logic! Rhetoric! Prag! Wow, what a combination. In this spotlight, we sit down with Karl ...
New
PragmaticBookshelf
Author Spotlight: Peter Ullrich @PJUllrich Data is at the core of every business, but it is useless if nobody can access and analyze ...
New
CommunityNews
A Brief Review of the Minisforum V3 AMD Tablet. Update: I have created an awesome-minisforum-v3 GitHub repository to list information fo...
New

Sub Categories: