Book Image

Learning Mongoid

By : Gautam Rege
Book Image

Learning Mongoid

By: Gautam Rege

Overview of this book

Mongoid helps you to leverage the power of schema-less and efficient document-based design, dynamic queries, and atomic modifier operations. Mongoid eases the work of Ruby developers while they are working on complex frameworks. Starting with why and how you should use Mongoid, this book covers the various components of Mongoid. It then delves deeper into the detail of queries and relations, and you will learn some tips and tricks on improving performance. With this book, you will be able to build robust and large-scale web applications with Mongoid and Rails. Starting with the basics, this book introduces you to components such as moped and origin, and how information is managed, learn about the various datatypes, embedded documents, arrays, and hashes. You will learn how a document is stored and manipulated with callbacks, validations, and even atomic updates. This book will then show you the querying mechanism in detail, right from simple to complex queries, and even explains eager loading, lazy evaluation, and chaining of queries. Finally, this book will explain the importance of performance tuning and how to use the right indexes. It also explains MapReduce and the Aggregation Framework.
Table of Contents (14 chapters)
Learning Mongoid
About the Author
About the Reviewers

Mass assignment and security

Mass assignment of attributes is a way in which we can assign multiple attributes of an object directly. Typically, the parameter hash params can be used directly to update the object. For example:

# params: { name: "Gautam", age: 35}

But, what happens if someone updates information that should not have been part of params? What if someone inserted information such as password: "something" into the params hash? It will update the User object and create havoc.

That's exactly what happened.


Early in 2012, Egor Homakov hacked using this mass assignment Rails vulnerability. He was kind enough not to cause any harm and his intention was only to highlight the Rails' vulnerability of mass assignment.

He posted his own SSH key into the Rails core team user as a mass assignment, and it worked! He had full access to the repository after that. He highlighted that mass assignment is dangerous.

To protect against mass assignment, Rails...