This commit improves the admin user management interface while preserving
the intentional mass assignment vulnerability for educational purposes.
Changes:
1. Removed layout false from admin controller to enable full styling
2. Modernized admin users table view with Bootstrap components:
- Added page header with icon and description
- Wrapped table in card component for better visual hierarchy
- Updated admin indicator to use Bootstrap icons
- Modernized Edit button styling
3. Fixed admin update_user action form submission error:
- Previous code caused ForbiddenAttributesError in Rails
- Used to_unsafe_h to explicitly bypass strong parameters
- VULNERABILITY PRESERVED: This intentionally allows mass assignment
- See wiki: Extras:-Mass-Assignment-Admin-Role.md
- Fixed password field filtering to handle blank passwords correctly
The mass assignment vulnerability is maintained as a teaching example per
the OWASP RailsGoat mission. Students can learn about privilege escalation
attacks through the admin parameter.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove complex modal implementation and replace with simple page navigation:
- Convert get_user view from modal partial to full edit page
- Add proper form with Bootstrap 5 styling
- Link directly from users list to edit page
- Update controller actions to redirect instead of returning JSON
- Add flash messages for success/error feedback
- Remove all modal JavaScript and markup
- Remove modal CSS and backdrop handling
Benefits:
- Much simpler and more maintainable
- No JavaScript errors or complexity
- Standard Rails CRUD pattern
- Better user experience with proper navigation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
no functional change here, but familiar Rails users will see view files in the
locations they expect. this also slightly simplifies controller code
there is one attendant change in the wiki at `rails_3/A1-SQL-Injection-Interpolation.md`
that I'm happy to make after the PR is merged.
Ken Johnson