Lesson #2 - security
19 views
Skip to first unread message
Raptor Man
Jul 14, 2013, 2:02:08 PM7/14/13
to rai...@googlegroups.com
You mentioned in part of lesson #2: that someone could modify the URL to mess with other people's tasks ... being I'm new to model view controller thing, which other file / method am I looking for?
From:
https://github.com/railsmn/schedule/blob/master/open_camp/session2.md
I ran down a list of files that looked slightly promising and the best guess I came up with was:
Open_camp/config/routes.rb
OpenCamp::Application.routes.draw do
devise_for :users
get "notes/index"
get "notes/show"
get "notes/new"
get "notes/edit"
get "notes/create"
get "notes/update"
get "notes/destroy"
resources :notes
resources :tasks
end
From:
https://github.com/railsmn/schedule/blob/master/open_camp/session2.md
I ran down a list of files that looked slightly promising and the best guess I came up with was:
Open_camp/config/routes.rb
OpenCamp::Application.routes.draw do
devise_for :users
get "notes/index"
get "notes/show"
get "notes/new"
get "notes/edit"
get "notes/create"
get "notes/update"
get "notes/destroy"
resources :notes
resources :tasks
end
Joshua Wehner
Jul 16, 2013, 7:20:17 PM7/16/13
to Raptor Man, rai...@googlegroups.com
Here's how I'd approach this:
Basically, Task.foo (by which I mean "any class-level method on Task") will find / create / delete *any* Task in the system, regardless of who "owns" that task. Our initial version of the TasksController naively passes the ID from the URL (via params[:id]).
So, if user A has task 1 and is looking at the URL:
and changes it to:
then that user can see (and be able to edit, etc.) Task #2, even though task #2 might be owned by another user.
If, instead of "Task.foo", you substitute "current_user.tasks.foo", then you are interacting with the current user (this is supplied by Devise, btw) model's "tasks" method, which only returns tasks that are "owned" by the user.
In other words, for the scenario above, "current_user.tasks.find(2)" would fail with an ActiveRecord::RecordNotFound. Which is better than letter the user find / create / update any & every body's tasks.
--
You received this message because you are subscribed to the Google Groups "RailsMN" group.
To unsubscribe from this group and stop receiving emails from it, send an email to railsmn+u...@googlegroups.com.
To post to this group, send email to rai...@googlegroups.com.
Visit this group at http://groups.google.com/group/railsmn.
Reply all
Reply to author
Forward
0 new messages