Rails - Oct 2005 - Problem with before_filter in combination with render_component

I have a before_filter on a controller that looks like this:

before_filter :admin_required, :except => [:update, :edit]

In another controller''s action (controller name: security, action
name: editprofile) I''m calling one of these unprotected actions like
so:

<%= render_component(:controller => ''user'',
                     :action => :edit,
                     :id => @user.id,
                     :params => { :context => :editprofile }) %>

It should not be called the :admin_required filter, but it is.  I''m
wondering if this has something to do with the fact that I''m calling
it as a component in another controller''s action.  Just in case this
was the case, I added the other controller''s action ot the list of
filter exceptions, but that didn''t seem to help.  Any ideas?

Thanks,

Carl

The problem with passing :context => :editprofile as a
param is that it can open up security holes.  It may
not matter in your particular application, but in the
general case, I could easily spoof this by doing the
following, which could end up bypassing your
admin_required filter:

    http://.../security/edit?context=editprofile

You might be better off passing your context as a
local:

<%= render_component(:controller => ''user'',
                     :action => :edit,
                     :id => @user.id,
                     :locals => { :context
=>:editprofile }) %>


I''ve seen code that did this to enable "admin"
features of a user edit page without the author
realizing that all the user had to do was add
?context=admin and hey-presto, they could make
themselves an admin!

Hope this helps.


--- Carl Youngblood
<carl.youngblood-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> I have a before_filter on a controller that looks
> like this:
> 
> before_filter :admin_required, :except => [:update,
> :edit]
> 
> In another controller''s action (controller name:
> security, action
> name: editprofile) I''m calling one of these
> unprotected actions like
> so:
> 
> <%= render_component(:controller => ''user'',
>                      :action => :edit,
>                      :id => @user.id,
>                      :params => { :context =>
> :editprofile }) %>
> 
> It should not be called the :admin_required filter,
> but it is.  I''m
> wondering if this has something to do with the fact
> that I''m calling
> it as a component in another controller''s action. 
> Just in case this
> was the case, I added the other controller''s action
> ot the list of
> filter exceptions, but that didn''t seem to help. 
> Any ideas?
> 
> Thanks,
> 
> Carl
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 


	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors'' Choice 2005 
http://mail.yahoo.com