使用敏感信息(如密码)导轨保护数据库列 [英] protecting Database columns with sensitive information (like passwords) rails
问题描述
我有一个 rails 应用程序,它像许多 rails 应用程序一样,拥有用户.在我的用户模型中,我有 password 和 salt 列等.有什么办法可以防止这些在我执行例如 debug @user 或渲染 JSON 时出现?
当然,我可以确保每次使用时都省略这些,但是有什么方法可以确保它们不会出现在任何地方?
也许它们可以是私有字段?它们只在我的 User 模型和我的 Session 控制器中需要,但我可以在 User 中创建一个方法,将给定的密码与正确的密码进行比较一个,然后只能在用户"模块中访问变量.这会有所帮助,还是仍然会在这两个地方(和其他地方)呈现?
很好的问题,有几点需要考虑:
<块引用>- 您是否希望将 模型 或 Rails 核心中的值私有化"?
- 您是否需要在任何特定情况下访问这些属性?(即他们总是私密的吗?)
- 如何填充私有方法?他们会改变吗?
老实说我不知道答案.因为我有兴趣,我做了一些研究.以下是一些资源:
共识似乎是,如果你采用 Rails 模型,并应用每次填充它时,它的属性成为实例方法的逻辑,你可以开始在模型本身内私有化这些方法.
例如...
#app/models/user.rb类用户<小时>
这似乎使您能够将模型中的某些方法设为私有,这将回答您一半的问题.但是,它仍然存在 ActiveRecord 每次拉取记录的可能性,这可能是危险的.
我对此进行了调查,发现有一些方法可以操作 ActiveRecord 以防止它拉取不需要的数据:
该资源建议使用 active_record_serializers.这似乎是专门针对 JSON 的,但更符合正轨(即定义我们从 ActiveRecord 查询返回哪些数据的能力).
#serializer类 UserSerializer ActiveRecord Lazy Attributes 的另一个建议 - 规定 ActiveRecord 属性为负载:
#app/models/user.rb类用户最后,你总是有很好的 ol' <代码>default_scope:
#app/models/user.rb类用户I have a rails app that like so many rails apps, has users. In my user model i have password and salt columns, among others. Is there any way i can protect these from appearing when i do for example debug @user or when i render JSON?
Of course i could just make sure to omit these every time i use it, but is there a way i can make really sure that they don't show up anywhere?
Maybe they could be private fields? They are only needed in my User model and my Session controller, but i could make a method in User that compares a given password to the correct one and then only have the variables accessible in the ´User´ module. Would this help, or would they still be rendered in those two places ( and others )?
Very good question, there are several things to consider:
- Are you looking to "privatise" the values in the model or in the Rails Core?
- Will you need to access these attributes in any specific circumstances? (IE are they always private?)
- How will the private methods be populated? Will they ever change?
I have to be honest in saying I don't know the answer. Since I'm interested, I did some research. Here are some resources:
- Is there a way to make Rails ActiveRecord attributes private?
- Hiding an attribute in an ActiveRecord model
- ActiveRecord protects your privates
The consensus seems to be that if you take the Rails model, and apply the logic that every time you populate it, its attributes become instance methods of the, you can begin to privatise those methods within the model itself.
For example...
#app/models/user.rb
class User < ActiveRecord::Base
private :password, :password=
private :salt, :salt=
end
This seems to give you the ability to make certain methods private in your model, which will answer half your question. However, it still leaves the possibility of ActiveRecord pulling the record each time, which could be a danger.
I had a look into this, and found that there are certain ways you can manipulate ActiveRecord to prevent it pulling unwanted data:
This resource recommends the use of active_record_serializers. This appears specifically for JSON, but is more along the right track (IE the ability to define which data we return from ActiveRecord queries).
#serializer
class UserSerializer < ActiveModel::Serializer
attributes :username, :created_at
end
#controller
render json: @user, serializer: UserSerializer
There was another suggestion of ActiveRecord Lazy Attributes - stipulating to ActiveRecord which attributes to load:
#app/models/user.rb
class User < ActiveRecord::Base
attr_lazy :data
end
Finally, you always have good ol' default_scope:
#app/models/user.rb
class User < ActiveRecord::Base
default_scope select([:id, :username])
end
这篇关于使用敏感信息(如密码)导轨保护数据库列的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
