0.01
No commit activity in last 3 years
No release in over 3 years
Strong parameter integration between rails and mongoid
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

< 7, >= 4.0
 Project Readme

mongoid-rails is the safest way to use MongoDB with Rails 3 or 4.

Installation

Add mongoid-rails to your Gemfile.

gem 'mongoid-rails'

Then run bundle install.

What does it do?

Mongoid rails provides protection against hash-injection attacks in mongoid.

Forbidden attributes protection

This causes things like User.create(setings: params[:settings]) to raise an exception. If you want to create a user from parameters, you need to explicitly permit the fields that you want to allow.

User.create(settings: params[:settings].permit(:favorite_color))

This prevents an attacker from sneakily setting params[:settings][:admin] = true or similar.

Forbidden query protection

This protects you against query injection attacks. It makes the following code safe:

User.where(api_token: params[:api_token])

Without mongoid-rails an attacker can send ?api_token[$gt]= to guess api tokens from your app. With mongoid-rails that will cause an exception to be raised.

Meta

mongoid-rails is released under the MIT license. See LICENCE.MIT for details.