Strong parameters integration with mongoid
Ruby
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
.gitignore
LICENCE.MIT
README.md
mongoid-rails.gemspec

README.md

mongoid-rails is the safest way to use MongoDB with Rails 3 or 4.

Installation

Add mongoid-rails to your Gemfile.

gem 'mongoid-rails'

Then run bundle install.

What does it do?

Mongoid rails provides protection against hash-injection attacks in mongoid.

Forbidden attributes protection

This causes things like User.create(setings: params[:settings]) to raise an exception. If you want to create a user from parameters, you need to explicitly permit the fields that you want to allow.

User.create(settings: params[:settings].permit(:favorite_color))

This prevents an attacker from sneakily setting params[:settings][:admin] = true or similar.

Forbidden query protection

This protects you against query injection attacks. It makes the following code safe:

User.where(api_token: params[:api_token])

Without mongoid-rails an attacker can send ?api_token[$gt]= to guess api tokens from your app. With mongoid-rails that will cause an exception to be raised.

Meta

mongoid-rails is released under the MIT license. See LICENCE.MIT for details.