team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add styling to admin user management page and fix form submission

Browse Source 
This commit improves the admin user management interface while preserving
the intentional mass assignment vulnerability for educational purposes.

Changes:
1. Removed layout false from admin controller to enable full styling
2. Modernized admin users table view with Bootstrap components:
   - Added page header with icon and description
   - Wrapped table in card component for better visual hierarchy
   - Updated admin indicator to use Bootstrap icons
   - Modernized Edit button styling

3. Fixed admin update_user action form submission error:
   - Previous code caused ForbiddenAttributesError in Rails
   - Used to_unsafe_h to explicitly bypass strong parameters
   - VULNERABILITY PRESERVED: This intentionally allows mass assignment
   - See wiki: Extras:-Mass-Assignment-Admin-Role.md
   - Fixed password field filtering to handle blank passwords correctly

The mass assignment vulnerability is maintained as a teaching example per
the OWASP RailsGoat mission. Students can learn about privilege escalation
attacks through the admin parameter.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Ken Johnson
2025-12-10 13:43:39 +00:00
parent 2cc86dd271
commit 7b77d8281c
2 changed files with 60 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/admin_controller.rb
+10 -4
View File
@@ -2,7 +2,6 @@
class AdminController < ApplicationController
before_action :administrative, if: :admin_param, except: [:get_user]
skip_before_action :has_info
layout false, only: [:get_all_users]
def dashboard
end
@@ -34,9 +33,16 @@ class AdminController < ApplicationController
def update_user
user = User.find_by_id(params[:admin_id])
if user
user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") })
pass = params[:user][:password]
user.password = pass if !(pass.blank?)
# VULNERABILITY: Using params[:user] directly without strong parameters
# This allows mass assignment of any user attribute including 'admin'
# See wiki: Extras:-Mass-Assignment-Admin-Role.md
user_params = params[:user].to_unsafe_h if params[:user].respond_to?(:to_unsafe_h)
user_params ||= params[:user]
# Filter out password fields if blank to avoid validation errors
filtered_params = user_params.reject { |k, v| (k == "password" || k == "password_confirmation") && v.blank? }
user.update(filtered_params)
user.save!
flash[:success] = "User updated successfully"
redirect_to admin_get_all_users_path(current_user.id)