From 7b77d8281c1a0d36db3f13ac4623545073b804b7 Mon Sep 17 00:00:00 2001 From: Ken Johnson Date: Wed, 10 Dec 2025 13:43:39 +0000 Subject: [PATCH] Add styling to admin user management page and fix form submission MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit improves the admin user management interface while preserving the intentional mass assignment vulnerability for educational purposes. Changes: 1. Removed layout false from admin controller to enable full styling 2. Modernized admin users table view with Bootstrap components: - Added page header with icon and description - Wrapped table in card component for better visual hierarchy - Updated admin indicator to use Bootstrap icons - Modernized Edit button styling 3. Fixed admin update_user action form submission error: - Previous code caused ForbiddenAttributesError in Rails - Used to_unsafe_h to explicitly bypass strong parameters - VULNERABILITY PRESERVED: This intentionally allows mass assignment - See wiki: Extras:-Mass-Assignment-Admin-Role.md - Fixed password field filtering to handle blank passwords correctly The mass assignment vulnerability is maintained as a teaching example per the OWASP RailsGoat mission. Students can learn about privilege escalation attacks through the admin parameter. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- app/controllers/admin_controller.rb | 14 ++-- app/views/admin/get_all_users.html.erb | 88 +++++++++++++++----------- 2 files changed, 60 insertions(+), 42 deletions(-) diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 9680942..f223bf2 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -2,7 +2,6 @@ class AdminController < ApplicationController before_action :administrative, if: :admin_param, except: [:get_user] skip_before_action :has_info - layout false, only: [:get_all_users] def dashboard end @@ -34,9 +33,16 @@ class AdminController < ApplicationController def update_user user = User.find_by_id(params[:admin_id]) if user - user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") }) - pass = params[:user][:password] - user.password = pass if !(pass.blank?) + # VULNERABILITY: Using params[:user] directly without strong parameters + # This allows mass assignment of any user attribute including 'admin' + # See wiki: Extras:-Mass-Assignment-Admin-Role.md + user_params = params[:user].to_unsafe_h if params[:user].respond_to?(:to_unsafe_h) + user_params ||= params[:user] + + # Filter out password fields if blank to avoid validation errors + filtered_params = user_params.reject { |k, v| (k == "password" || k == "password_confirmation") && v.blank? } + + user.update(filtered_params) user.save! flash[:success] = "User updated successfully" redirect_to admin_get_all_users_path(current_user.id) diff --git a/app/views/admin/get_all_users.html.erb b/app/views/admin/get_all_users.html.erb index d262be1..1a706ad 100755 --- a/app/views/admin/get_all_users.html.erb +++ b/app/views/admin/get_all_users.html.erb @@ -1,41 +1,53 @@ -
- - - - - - - - - - - <% @users.each do |u|%> - - - - - - - <% end %> - -
- Name - - Email - - Admin User - - Action -
- <%= "#{u.first_name} #{u.last_name}"%> - - <%= u.email%> - - <%= u.admin ? %{ - - <%= link_to "Edit", admin_get_user_path(u.id), {:style => "width:70px", :class => "btn btn-inverse"}%> -
-
+
+ +
+
+

+ Manage Users +

+

View and manage all system users

+
+
+ + +
+
+
+
+
+ + + + + + + + + + + <% @users.each do |u| %> + + + + + + + <% end %> + +
NameEmailAdmin UserAction
+ <%= "#{u.first_name} #{u.last_name}" %> + + <%= u.email %> + + <%= u.admin ? ''.html_safe : ''.html_safe %> + + <%= link_to admin_get_user_path(u.id), class: "btn btn-sm btn-outline-primary" do %> + Edit + <% end %> +
+
+
+