application controller security

1 view
Skip to first unread message

Chad

unread,
Nov 1, 2006, 11:06:38 PM11/1/06
to Ruby on Rails: Talk

Shouldn't everything in the application controller be protected by
default?

I just realized that my app can be called like this:
www.myapp.com/application/method and it actually tries to run that
method inside my application controller.

Is everyone else just adding "protected" at the top?

Thanks,
Chad

Craig White

unread,
Nov 1, 2006, 11:36:47 PM11/1/06
to rubyonra...@googlegroups.com
----
I'm quite certain that this can be explained better by others but...

this is a function of ruby and the ruby bible, Programming Ruby provides
some insights as does AWDWR if I recall correctly.

All methods in your controllers are public unless they are specifically
made private or protected.

I can't speak to what others do. I leave most controller methods
available to public but provide access control via
authorize/authenticate methodology mostly cribbed from Chad Fowler's
Rails Recipes - in essence, assuming that a session belonging to a
validated user with appropriate rights controlled via roles will
ultimately govern access to the method(s) requested.

Craig

Chad

unread,
Nov 1, 2006, 11:51:10 PM11/1/06
to Ruby on Rails: Talk

I agree I handle things the same way, but the application controller
public by default? That seems like a potential security risk for rails
web applications since EVERYONE has an application controller out of
the box.

cheers


On Nov 1, 8:36 pm, Craig White <craigwh...@azapple.com> wrote:
> On Wed, 2006-11-01 at 20:06 -0800, Chad wrote:
>
> > Shouldn't everything in the application controller be protected by
> > default?
>
> > I just realized that my app can be called like this:

> >www.myapp.com/application/methodand it actually tries to run that

Jeremy Kemper

unread,
Nov 2, 2006, 12:14:19 AM11/2/06
to rubyonra...@googlegroups.com

Yes! Public/protected/private method visibility is a natural way to distinguish actions from their supporting methods. No need to introduce a special case here to sully that consistency.

jeremy

Chad

unread,
Nov 2, 2006, 12:38:50 AM11/2/06
to Ruby on Rails: Talk

fair enough. done.


On Nov 1, 9:14 pm, "Jeremy Kemper" <jer...@bitsweat.net> wrote:


> On 11/1/06, Chad <carim...@gmail.com> wrote:
>
>
>
> > Shouldn't everything in the application controller be protected by
> > default?
>
> > I just realized that my app can be called like this:

> >www.myapp.com/application/methodand it actually tries to run that


> > method inside my application controller.
>

> > Is everyone else just adding "protected" at the top?Yes! Public/protected/private method visibility is a natural way to

Reply all
Reply to author
Forward
0 new messages