almirsarajcic

almirsarajcic

Programming Phoenix LiveView: security concerns (pages 180 and 196)

Forms on both pages contain this code user_id in hidden input field:

<%= hidden_input f, :user_id %>

There could be beginners reading the book that wouldn’t understand why this is bad approach, so I suggest you don’t use the user_id from the params, but instead use the one from the current_user when saving survey data.

Most Liked

vrcca

vrcca

Agreed. I also found it pretty odd. This is how I did instead:

  defp save_demographic(socket, params) do
    params
    |> assign_current_user_param(socket)
    |> Survey.create_demographic()
    |> case do
      {:ok, demographic} ->
        send(self(), {:created_demographic, demographic})
        socket

      {:error, %Ecto.Changeset{} = changeset} ->
        assign(socket, :changeset, changeset)
    end
  end

  defp assign_current_user_param(params, socket) do
    Map.put(params, "user_id", socket.assigns.current_user.id)
  end

Also got rid of the assignment and field entirely!

mwu

mwu

Another agreed here since hidden input fields are still visible client-side (in the code) so those values can be used by bad actors.

I did the same concept as @vrcca for save_demographic/2, and for save_rating/2:


For page 196, I removed the hidden input fields:

<%= hidden_input f, :user_id%>
<%= hidden_input f, :product_id%>

And modified save_rating/2 on page 199 to add user_id and product_id from the values already in the socket assigns (rather than from the hidden input field):

defp save_rating(
       %{assigns: %{product_index: product_index, product: product}} = socket,
       rating_params
     ) do
  rating_params
  |> add_user_id_param(socket)
  |> add_product_id_param(socket)
  |> Survey.create_rating()
  |> case do
    {:ok, %Rating{} = rating} ->
      product = %{product | ratings: [rating]}
      send(self(), {:created_rating, product, product_index})
      socket
  
    {:error, %Ecto.Changeset{} = changeset} ->
      assign(socket, changeset: changeset)
  end
end
  
defp add_user_id_param(rating_params, socket) do
  Map.put(rating_params, "user_id", socket.assigns.current_user.id)
end
  
defp add_product_id_param(rating_params, socket) do
  Map.put(rating_params, "product_id", socket.assigns.product.id)
end

Where Next?

Popular Pragmatic Bookshelf topics Top

jimmykiang
This test is broken right out of the box… — FAIL: TestAgent (7.82s) agent_test.go:77: Error Trace: agent_test.go:77 agent_test.go:...
New
mikecargal
Title: Hands-On Rust (Chap 8 (Adding a Heads Up Display) It looks like ​.with_simple_console_no_bg​(SCREEN_WIDTH*2, SCREEN_HEIGHT*2...
New
jskubick
I’m running Android Studio “Arctic Fox” 2020.3.1 Patch 2, and I’m embarrassed to admit that I only made it to page 8 before running into ...
New
brunogirin
When I run the coverage example to report on missing lines, I get: pytest --cov=cards --report=term-missing ch7 ERROR: usage: pytest [op...
New
brunogirin
When running tox for the first time, I got the following error: ERROR: InterpreterNotFound: python3.10 I realised that I was running ...
New
creminology
Skimming ahead, much of the following is explained in Chapter 3, but new readers (like me!) will hit a roadblock in Chapter 2 with their ...
New
jwandekoken
Book: Programming Phoenix LiveView, page 142 (157/378), file lib/pento_web/live/product_live/form_component.ex, in the function below: d...
New
andreheijstek
After running /bin/setup, the first error was: The foreman' command exists in these Ruby versions: That was easy to fix: gem install fore...
New
New
bjnord
Hello @herbert ! Trying to get the very first “Hello, Bracket Terminal!" example to run (p. 53). I develop on an Amazon EC2 instance runn...
New

Other popular topics Top

AstonJ
A thread that every forum needs! Simply post a link to a track on YouTube (or SoundCloud or Vimeo amongst others!) on a separate line an...
New
Exadra37
Please tell us what is your preferred monitor setup for programming(not gaming) and why you have chosen it. Does your monitor have eye p...
New
Exadra37
I am asking for any distro that only has the bare-bones to be able to get a shell in the server and then just install the packages as we ...
New
PragmaticBookshelf
Author Spotlight Jamis Buck @jamis This month, we have the pleasure of spotlighting author Jamis Buck, who has written Mazes for Prog...
New
AstonJ
If you want a quick and easy way to block any website on your Mac using Little Snitch simply… File &gt; New Rule: And select Deny, O...
New
New
New
PragmaticBookshelf
Develop, deploy, and debug BEAM applications using BEAMOps: a new paradigm that focuses on scalability, fault tolerance, and owning each ...
New
sir.laksmana_wenk
I’m able to do the “artistic” part of game-development; character designing/modeling, music, environment modeling, etc. However, I don’t...
New
AstonJ
This is cool! DEEPSEEK-V3 ON M4 MAC: BLAZING FAST INFERENCE ON APPLE SILICON We just witnessed something incredible: the largest open-s...
New

Sub Categories: