Fernando Perez
2008-Sep-16 20:24 UTC
Is it required that user provides his password to update?
Hi, I am working with restful_authentication plugin fresh install from today. In the users_controller one can read the following: --- There''s no page here to update or destroy a user. If you add those, be smart -- make sure you check that the visitor is authorized to do so, that they supply their old password along with a new one to update it, etc. --- I thought Rails had a CSRF protection when submitting forms. Can it be hacked? If that is the case, this means that even for adding/removing/editing entries, an admin will be required to enter his password for each action he takes. What do you think? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2008-Sep-16 21:13 UTC
Re: Is it required that user provides his password to update?
On 16 Sep 2008, at 21:24, Fernando Perez <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org > wrote:> > Hi, > > I am working with restful_authentication plugin fresh install from > today. > > In the users_controller one can read the following: > --- > There''s no page here to update or destroy a user. If you add those, > be > smart -- make sure you check that the visitor is authorized to do so, > that they > supply their old password along with a new one to update it, etc. > --- > I thought Rails had a CSRF protection when submitting forms. Can it be > hacked? > > If that is the case, this means that even for adding/removing/editing > entries, an admin will be required to enter his password for each > action > he takes.I think your conflating several issues. The comment is just saying that you should be careful to restrict what users can update. That is a completely separate issue to crsf. Fred> > > What do you think? > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Fernando Perez
2008-Sep-16 21:37 UTC
Re: Is it required that user provides his password to update?
Are you sure about that? I read that Rails 2.x uses http only cookies, so I guess that it is up to the user to make sure his browser is secure and complies to standards of security. The issue about supplying the old password with the new one, is in the case where the identity was stolen. The account is cracked, but the password nor the email can be changed. Do you remember about the Gmail security hole, that enabled a hacker to create mail filters to redirect mail to his own account? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Erol Fornoles
2008-Sep-16 23:39 UTC
Re: Is it required that user provides his password to update?
On Sep 17, 5:37 am, Fernando Perez <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Are you sure about that? > > I read that Rails 2.x uses http only cookies, so I guess that it is up > to the user to make sure his browser is secure and complies to standards > of security. > > The issue about supplying the old password with the new one, is in the > case where the identity was stolen. The account is cracked, but the > password nor the email can be changed. > > Do you remember about the Gmail security hole, that enabled a hacker to > create mail filters to redirect mail to his own account? > -- > Posted viahttp://www.ruby-forum.com/.I think the comment is just saying that authentication and authorization are two different beasts, i.e., the current user logged in is indeed that user (authentication) as opposed to the current user being allowed to change or update other users (authorization). It is always a good idea to ask for a user''s old password whenever he(?) is try to change it. There will always be instances when a user can be just plain dumb - like forgetting to log off from a public workstation. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---