Prevent fetching password attribute value for an instance of User object

Question

I have this in my :show action of users_controller.

def show
  @user = User.find(params[:id])
end

But there are some columns in the users table that I wouldn't want accessed from the @user instance variable.

There is the encrypted_password column and the salt column. What can i do on the model or the controller to ensure that @user has no password or salt values.

I want when I do @user.password or @user.salt, it returns nil or something that can't compromise a user's security.

Answer 1

1. Limiting your Ruby code from fetching some data from the DB hardly enhances security - chances are a hacker will get to your DB not through your ruby code, but by hacking straight to you database...
2. If all that is saved in the database is an encrypted password and the salt (both of which you need to authenticate the user) - you should be fine, having both is not enough to know the user's password (at least not easily, assuming the encryption is strong enough)
3. If you want to be extra careful, you can save the salt in a separate repository than the encrypted password repository. This way a hacker will have to break into both repositories to even start brute forcing your users' passwords.