rails console --sandbox allows for untracked read-only access to the database, including decryption of values
#91
Comments
|
Good catch, thanks for reporting @joshuaclayton. I'm not sure what's the right solution here, but a note in the README is totally pertinent. Thanks! |
|
This seems like a big risk to me. Would you consider disabling the You can use |
|
That's a good idea @ghiculescu. I'll be happy to merge a PR that disables the sandbox option when console1984 is enabled. |
|
Can we explore other directions (e.g., saving audit logs in another database)? To avoid accidental destruction, I always use sandbox mode first to check if commands work as expected. |
|
I can make it optional if you prefer but IMO it's better to be strict here and then loosen it up later if other options are added. |
|
I think optional but disabled by default is a sensible approach here @ghiculescu. |
|
We've been using another database to store our console access with some success: class Console1984Record < ActiveRecord::Base
self.abstract_class = true
self.belongs_to_required_by_default = false
connects_to database: { writing: :console_access, reading: :console_access }
endIn config.console1984.base_record_class = "::Console1984Record"The user that connects to that database can insert and can update |
As the name suggests, storing console session data in the primary database results in the session record being rolled back in a transaction when running
rails console --sandboxonce it terminates.While I'm not sure there's an actual "fix" to this behavior (it seems to be working as intended), I'd be interested to understand if the team would find an update to the README documenting this useful. I'd be happy to add a line or two about this if so.
The text was updated successfully, but these errors were encountered: