Thursday, October 16, 2014
I'm not sure if this has been discussed before, but are there significant challenges to having one database user to run migrations (ability to CREATE and/or EDIT schema) and another user to do CRUD actions on the data itself? I understand Rails takes care of a lot of sql injection attacks for us, but if the database user that rails used lacked schema EDIT capability, it would be impossible for a malicious user to DROP or ADD tables. Sure, there is still a lot of danger posed by a malicious data user (DELETE FROM table), but couldn't we limit the attack area on the database with a more powerful "migration only" user?
-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/47e19a89-63d2-48f9-aec6-c0a028e8fe93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment