Carl Youngblood
2005-Oct-14 21:26 UTC
Problem with before_filter in combination with render_component
I have a before_filter on a controller that looks like this: before_filter :admin_required, :except => [:update, :edit] In another controller''s action (controller name: security, action name: editprofile) I''m calling one of these unprotected actions like so: <%= render_component(:controller => ''user'', :action => :edit, :id => @user.id, :params => { :context => :editprofile }) %> It should not be called the :admin_required filter, but it is. I''m wondering if this has something to do with the fact that I''m calling it as a component in another controller''s action. Just in case this was the case, I added the other controller''s action ot the list of filter exceptions, but that didn''t seem to help. Any ideas? Thanks, Carl
Dave M
2005-Oct-15 01:20 UTC
Re: Problem with before_filter in combination with render_component
The problem with passing :context => :editprofile as a param is that it can open up security holes. It may not matter in your particular application, but in the general case, I could easily spoof this by doing the following, which could end up bypassing your admin_required filter: http://.../security/edit?context=editprofile You might be better off passing your context as a local: <%= render_component(:controller => ''user'', :action => :edit, :id => @user.id, :locals => { :context =>:editprofile }) %> I''ve seen code that did this to enable "admin" features of a user edit page without the author realizing that all the user had to do was add ?context=admin and hey-presto, they could make themselves an admin! Hope this helps. --- Carl Youngblood <carl.youngblood-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I have a before_filter on a controller that looks > like this: > > before_filter :admin_required, :except => [:update, > :edit] > > In another controller''s action (controller name: > security, action > name: editprofile) I''m calling one of these > unprotected actions like > so: > > <%= render_component(:controller => ''user'', > :action => :edit, > :id => @user.id, > :params => { :context => > :editprofile }) %> > > It should not be called the :admin_required filter, > but it is. I''m > wondering if this has something to do with the fact > that I''m calling > it as a component in another controller''s action. > Just in case this > was the case, I added the other controller''s action > ot the list of > filter exceptions, but that didn''t seem to help. > Any ideas? > > Thanks, > > Carl > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >__________________________________ Yahoo! Mail - PC Magazine Editors'' Choice 2005 http://mail.yahoo.com