Add styling to admin user management page and fix form submission
This commit improves the admin user management interface while preserving the intentional mass assignment vulnerability for educational purposes. Changes: 1. Removed layout false from admin controller to enable full styling 2. Modernized admin users table view with Bootstrap components: - Added page header with icon and description - Wrapped table in card component for better visual hierarchy - Updated admin indicator to use Bootstrap icons - Modernized Edit button styling 3. Fixed admin update_user action form submission error: - Previous code caused ForbiddenAttributesError in Rails - Used to_unsafe_h to explicitly bypass strong parameters - VULNERABILITY PRESERVED: This intentionally allows mass assignment - See wiki: Extras:-Mass-Assignment-Admin-Role.md - Fixed password field filtering to handle blank passwords correctly The mass assignment vulnerability is maintained as a teaching example per the OWASP RailsGoat mission. Students can learn about privilege escalation attacks through the admin parameter. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Ken Johnson
@@ -2,7 +2,6 @@
|
|||||||
class AdminController < ApplicationController
|
class AdminController < ApplicationController
|
||||||
before_action :administrative, if: :admin_param, except: [:get_user]
|
before_action :administrative, if: :admin_param, except: [:get_user]
|
||||||
skip_before_action :has_info
|
skip_before_action :has_info
|
||||||
layout false, only: [:get_all_users]
|
|
||||||
|
|
||||||
def dashboard
|
def dashboard
|
||||||
end
|
end
|
||||||
@@ -34,9 +33,16 @@ class AdminController < ApplicationController
|
|||||||
def update_user
|
def update_user
|
||||||
user = User.find_by_id(params[:admin_id])
|
user = User.find_by_id(params[:admin_id])
|
||||||
if user
|
if user
|
||||||
user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") })
|
# VULNERABILITY: Using params[:user] directly without strong parameters
|
||||||
pass = params[:user][:password]
|
# This allows mass assignment of any user attribute including 'admin'
|
||||||
user.password = pass if !(pass.blank?)
|
# See wiki: Extras:-Mass-Assignment-Admin-Role.md
|
||||||
|
user_params = params[:user].to_unsafe_h if params[:user].respond_to?(:to_unsafe_h)
|
||||||
|
user_params ||= params[:user]
|
||||||
|
|
||||||
|
# Filter out password fields if blank to avoid validation errors
|
||||||
|
filtered_params = user_params.reject { |k, v| (k == "password" || k == "password_confirmation") && v.blank? }
|
||||||
|
|
||||||
|
user.update(filtered_params)
|
||||||
user.save!
|
user.save!
|
||||||
flash[:success] = "User updated successfully"
|
flash[:success] = "User updated successfully"
|
||||||
redirect_to admin_get_all_users_path(current_user.id)
|
redirect_to admin_get_all_users_path(current_user.id)
|
||||||
|
|||||||
@@ -1,19 +1,27 @@
|
|||||||
|
<div class="container-fluid">
|
||||||
|
<!-- Header -->
|
||||||
|
<div class="row mb-4">
|
||||||
|
<div class="col-12">
|
||||||
|
<h2 class="mb-3">
|
||||||
|
<i class="bi bi-people-fill text-primary"></i> Manage Users
|
||||||
|
</h2>
|
||||||
|
<p class="text-muted">View and manage all system users</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<!-- Users Table -->
|
||||||
|
<div class="row">
|
||||||
|
<div class="col-12">
|
||||||
|
<div class="card shadow-sm">
|
||||||
|
<div class="card-body">
|
||||||
<div id="dt_example" class="example_alt_pagination">
|
<div id="dt_example" class="example_alt_pagination">
|
||||||
<table class="table table-striped table-hover table-bordered pull-left" id="data-table">
|
<table class="table table-striped table-hover table-bordered" id="data-table">
|
||||||
<thead>
|
<thead>
|
||||||
<tr>
|
<tr>
|
||||||
<th>
|
<th>Name</th>
|
||||||
Name
|
<th>Email</th>
|
||||||
</th>
|
<th>Admin User</th>
|
||||||
<th>
|
<th>Action</th>
|
||||||
Email
|
|
||||||
</th>
|
|
||||||
<th>
|
|
||||||
Admin User
|
|
||||||
</th>
|
|
||||||
<th>
|
|
||||||
Action
|
|
||||||
</th>
|
|
||||||
</tr>
|
</tr>
|
||||||
</thead>
|
</thead>
|
||||||
<tbody>
|
<tbody>
|
||||||
@@ -25,17 +33,21 @@
|
|||||||
<td>
|
<td>
|
||||||
<%= u.email %>
|
<%= u.email %>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td class="text-center">
|
||||||
<%= u.admin ? %{<span class="fs1" aria-label="check" data-icon=""}.html_safe : nil %>
|
<%= u.admin ? '<i class="bi bi-check-circle-fill text-success" title="Admin"></i>'.html_safe : '<i class="bi bi-dash-circle text-muted" title="Not Admin"></i>'.html_safe %>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<%= link_to "Edit", admin_get_user_path(u.id), {:style => "width:70px", :class => "btn btn-inverse"}%>
|
<%= link_to admin_get_user_path(u.id), class: "btn btn-sm btn-outline-primary" do %>
|
||||||
|
<i class="bi bi-pencil"></i> Edit
|
||||||
|
<% end %>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<% end %>
|
<% end %>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<div class="clearfix">
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
Reference in New Issue
Block a user