Daniel N
2006-Nov-04 02:22 UTC
[Rails-core] Possible Securtiy issue. Access Helpers from Browser
Hi all, Cross posting from the rails list. I''m not sure if any discussion is waranted on this on the core list, but I thought I''d put it up for discussion anyway. Rails Thread http://www.ruby-forum.com/topic/80293#new It seems that if a helper is used in a controller, and not protected, then you can access this directly from the browser. Usually resulting in an error, but not if the helper renders something. ie. in a controller helper :my_helper in my_helper there is a method, helper_method that renders a partial it will be rendered in the browser. in the browser http://localhost:3000/helper_method I''m summarising from the other thread. I''m at work at the moment and don''t have rails available to play with so please excuse any mistakes in syntax at the moment. Does anyone else see this as a potential security issue? Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails-core/attachments/20060913/4e8df528/attachment.html