Rails - Mar 2007 - Date Integrity and Form Security

I''m new to rails, and am used to technology that takes care of the
following issue for you:

When using forms in rails, all your data paths lay exposed to the
user.  It''s easy for them to hack the HTML so that when they POST/GET,
they set data for columns that you didn''t mean for them to update.
attr_protected is a somewhat reasonable solution, but it means that
you have to be careful about what you do and do not protect.  Then you
have to deal with the columns you decided to protect individually -
repeatedly!  Speaking of wet - ugh.

If that were the only problem, I could probably live with it.  But in
addition to that, you''re also exposing id''s so that you can
reference
specific rows.  A mischievous user could modify rows that they should
not - unless I check every reference to make sure they''re not.  Again,
trouble that I don''t want to deal with.

Has anyone modified or written an alternative to the form helpers that
would take care of this for me?  Seems like all it would take is a big
hash of magic keys to swap in/out for the normal values.  I imagine
instead of
<input ... name="model[attribute]" ...
or even worse
<input ... name="model_rownum_attribute" ...
you would get
<input ... name="my_magic_hash" ...

Then when the rails app received the next request, the "my_magic_hash"
would be replaced with the the regular string.

I know I''m not the first person to want something like this - has
anyone done a rails solution?

TIA,
Kurt


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---