Which is the best way of doing this I have an Article show page with a post form so when submitting the post I give the article_id argument to the post create method in a different controller. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Is there a question here? What do you feel is "insecure" about what you are doing? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
using a hidde_field shows the value to the user through source code and using GET can make users change the value from the URL -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
You''re right. How do you determine that a user has access to add a comment to a specific article? That''s the logic that you should put in you controller/model. So if the user changes the article ID in the URL to an article that he doesn''t have access to, it should throw an error. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Is this for a comment form? You would definitely need to send the article_id to the comment, so it knows which article it belongs to. But what I fail to see here is why this is a security failure. In order to show the page, the ID (or whatever fills in for it, cf friendly_id) must be in the URL. Walter On May 13, 2011, at 8:15 AM, Tomas R. wrote:> Which is the best way of doing this > > I have an Article show page with a post form so when submitting the > post > I give the article_id argument to the post create method in a > different > controller. > > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google > Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails- > talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org > . > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en > . >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Tim Shaffer wrote in post #998504:> You''re right. > > How do you determine that a user has access to add a comment to a > specific > article? That''s the logic that you should put in you controller/model. > > So if the user changes the article ID in the URL to an article that he > doesn''t have access to, it should throw an error.Any user can post on any article, but I dont think it''s a good idea to use GET, but I dont think hidden_field is the best option, is there another way of doing this? Walter Davis wrote in post #998505:> Is this for a comment form? You would definitely need to send the > article_id to the comment, so it knows which article it belongs to. > But what I fail to see here is why this is a security failure. In > order to show the page, the ID (or whatever fills in for it, cf > friendly_id) must be in the URL. > > Walterbut i dont think GET method it''s a good way of getting data into a database -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On May 13, 2011, at 9:13 AM, Tomas R. wrote:> Tim Shaffer wrote in post #998504: >> You''re right. >> >> How do you determine that a user has access to add a comment to a >> specific >> article? That''s the logic that you should put in you controller/ >> model. >> >> So if the user changes the article ID in the URL to an article that >> he >> doesn''t have access to, it should throw an error. > > Any user can post on any article, but I dont think it''s a good idea to > use GET, but I dont think hidden_field is the best option, is there > another way of doing this? > > Walter Davis wrote in post #998505: >> Is this for a comment form? You would definitely need to send the >> article_id to the comment, so it knows which article it belongs to. >> But what I fail to see here is why this is a security failure. In >> order to show the page, the ID (or whatever fills in for it, cf >> friendly_id) must be in the URL. >> >> Walter > > > but i dont think GET method it''s a good way of getting data into a > databaseI fail to see the issue here. But I suppose you could use the session for this, although if your permissions are the way you state -- anyone can see anything, anyone can post on anything -- then it just doesn''t mean anything. You''ve got all the Rails protection stuff running on all user input, so it doesn''t look to me like there''s some threat here. Walter> > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google > Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails- > talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org > . > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en > . >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
what if someone set article_id = 1000000 and article with id 1000000 doesnt exists -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 13 May 2011 15:34, Tomas R. <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> what if someone set article_id = 1000000 > and article with id 1000000 doesnt existsWhat if they do that in the show method? Are you catching RecordNotFound errors? Or are you checking for .exists? in your controller before doing a find? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Then they get an error, and are told that they are an annoying git. It''s not going to build a new article just for them if they''re fooling around, right? Your comment create looks like this: @article = Article.find(params[:comment][:article_id]) if @article @article.comments << Comment.new(params[:comment]) @article.save else #go away, you''re an annoying git end Or there''s probably an even cleaner way to do this with a validation, along the lines of comment.article must exist. Or even better, you could be using accepts nested attributes for, and post the comment to the article, not to the comments controller. That would fail very early, because the parent article wouldn''t exist. Walter On May 13, 2011, at 10:34 AM, Tomas R. wrote:> what if someone set article_id = 1000000 > and article with id 1000000 doesnt exists > > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google > Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails- > talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org > . > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en > . >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
If they do that, then your application will explode. Actually I just says can''t find the article with id = ### and the user will have to move on. What is the problem with the user changing the article id? If they change it to another article they are allowed to post on oh well, if they change it to an article they shouldn''t be allowed to post on you need to catch it. You can also use nested resources to achieve a url like /articles/1/ comments/new but again your still going to expose the article ID. On May 13, 10:34 am, "Tomas R." <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> what if someone set article_id = 1000000 > and article with id 1000000 doesnt exists > > -- > Posted viahttp://www.ruby-forum.com/.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Ok I get it now. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.