almirsarajcic

almirsarajcic

Programming Phoenix LiveView: security concerns (pages 180 and 196)

Forms on both pages contain this code user_id in hidden input field:

<%= hidden_input f, :user_id %>

There could be beginners reading the book that wouldn’t understand why this is bad approach, so I suggest you don’t use the user_id from the params, but instead use the one from the current_user when saving survey data.

Most Liked

vrcca

vrcca

Agreed. I also found it pretty odd. This is how I did instead:

  defp save_demographic(socket, params) do
    params
    |> assign_current_user_param(socket)
    |> Survey.create_demographic()
    |> case do
      {:ok, demographic} ->
        send(self(), {:created_demographic, demographic})
        socket

      {:error, %Ecto.Changeset{} = changeset} ->
        assign(socket, :changeset, changeset)
    end
  end

  defp assign_current_user_param(params, socket) do
    Map.put(params, "user_id", socket.assigns.current_user.id)
  end

Also got rid of the assignment and field entirely!

mwu

mwu

Another agreed here since hidden input fields are still visible client-side (in the code) so those values can be used by bad actors.

I did the same concept as @vrcca for save_demographic/2, and for save_rating/2:


For page 196, I removed the hidden input fields:

<%= hidden_input f, :user_id%>
<%= hidden_input f, :product_id%>

And modified save_rating/2 on page 199 to add user_id and product_id from the values already in the socket assigns (rather than from the hidden input field):

defp save_rating(
       %{assigns: %{product_index: product_index, product: product}} = socket,
       rating_params
     ) do
  rating_params
  |> add_user_id_param(socket)
  |> add_product_id_param(socket)
  |> Survey.create_rating()
  |> case do
    {:ok, %Rating{} = rating} ->
      product = %{product | ratings: [rating]}
      send(self(), {:created_rating, product, product_index})
      socket
  
    {:error, %Ecto.Changeset{} = changeset} ->
      assign(socket, changeset: changeset)
  end
end
  
defp add_user_id_param(rating_params, socket) do
  Map.put(rating_params, "user_id", socket.assigns.current_user.id)
end
  
defp add_product_id_param(rating_params, socket) do
  Map.put(rating_params, "product_id", socket.assigns.product.id)
end

Where Next?

Popular Pragmatic Bookshelf topics Top

New
sdmoralesma
Title: Web Development with Clojure, Third Edition - migrations/create not working: p159 When I execute the command: user=&gt; (create-...
New
JohnS
I can’t setup the Rails source code. This happens in a working directory containing multiple (postgres) Rails apps. With: ruby-3.0.0 s...
New
conradwt
First, the code resources: Page 237: rumbl_umbrella/apps/rumbl/mix.exs Note: That this file is missing. Page 238: rumbl_umbrella/app...
New
leonW
I ran this command after installing the sample application: $ cards add do something --owner Brian And got a file not found error: Fil...
New
patoncrispy
I’m new to Rust and am using this book to learn more as well as to feed my interest in game dev. I’ve just finished the flappy dragon exa...
New
jskubick
I think I might have found a problem involving SwitchCompat, thumbTint, and trackTint. As entered, the SwitchCompat changes color to hol...
New
oaklandgit
Hi, I completed chapter 6 but am getting the following error when running: thread 'main' panicked at 'Failed to load texture: IoError(O...
New
dsmith42
Hey there, I’m enjoying this book and have learned a few things alredayd. However, in Chapter 4 I believe we are meant to see the “&gt;...
New
mert
AWDWR 7, page 152, page 153: Hello everyone, I’m a little bit lost on the hotwire part. I didn’t fully understand it. On page 152 @rub...
New

Other popular topics Top

axelson
I’ve been really enjoying obsidian.md: It is very snappy (even though it is based on Electron). I love that it is all local by defaul...
New
DevotionGeo
I know that -t flag is used along with -i flag for getting an interactive shell. But I cannot digest what the man page for docker run com...
New
AstonJ
poll poll Be sure to check out @Dusty’s article posted here: An Introduction to Alternative Keyboard Layouts It’s one of the best write-...
New
AstonJ
There’s a whole world of custom keycaps out there that I didn’t know existed! Check out all of our Keycaps threads here: https://forum....
New
AstonJ
Inspired by this post from @Carter, which languages, frameworks or other tech or tools do you think is killing it right now? :upside_down...
New
AstonJ
I have seen the keycaps I want - they are due for a group-buy this week but won’t be delivered until October next year!!! :rofl: The Ser...
New
PragmaticBookshelf
Learn different ways of writing concurrent code in Elixir and increase your application's performance, without sacrificing scalability or...
New
Margaret
Hello everyone! This thread is to tell you about what authors from The Pragmatic Bookshelf are writing on Medium.
1143 25883 760
New
AstonJ
If you get Can't find emacs in your PATH when trying to install Doom Emacs on your Mac you… just… need to install Emacs first! :lol: bre...
New
AstonJ
This is cool! DEEPSEEK-V3 ON M4 MAC: BLAZING FAST INFERENCE ON APPLE SILICON We just witnessed something incredible: the largest open-s...
New

Sub Categories: