I''m creating a registration page where parents register their children for an event. I have each parent give me a username and password to login and register their children. Parents also have the ability to come back and edit their children''s information. However, if I log in as a parent to edit my child''s information, I can type another parent''s child''s id into the URL to edit that child. For instance, say I log into the system and view my children, and the link to this is: .../children/edit/1, where 1 is the id of my child. I can go up to the URL and type in .../children/edit/2, and edit the information of a child other than my own. Is there any simple way to stop this and allow parents to edit ONLY their assocaited children? My aplogies if this is a simple question; I''m new to web development and Ruby on Rails. But if anyone has a solution or can point me to a resource that can answer my question, I''d greatly appreciate it. Thanks. Daniel L -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Daniel Legrand wrote:> I''m creating a registration page where parents register their children > for an event. I have each parent give me a username and password to > login and register their children. Parents also have the ability to > come back and edit their children''s information. However, if I log in > as a parent to edit my child''s information, I can type another parent''s > child''s id into the URL to edit that child. > > For instance, say I log into the system and view my children, and the > link to this is: .../children/edit/1, where 1 is the id of my child. I > can go up to the URL and type in .../children/edit/2, and edit the > information of a child other than my own. Is there any simple way to > stop this and allow parents to edit ONLY their assocaited children? > > My aplogies if this is a simple question; I''m new to web development and > Ruby on Rails. But if anyone has a solution or can point me to a > resource that can answer my question, I''d greatly appreciate it. > > Thanks. > Daniel L > >You should be using associations to do the find. As in: @parent = Parent.find params[:parent_id] @child = @parent.children.find params[:child_id] That will only find children of @parent. Check out http://api.rubyonrails.com/classes/ActiveRecord/Associations/ClassMethods.html -- Jack Christensen jackc-/SOt/BrQZzMOf2zXYvRtkodd74u8MsAO@public.gmane.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
There is still a security issue doing it his way @parent = Parent.find params[:parent_id] since all someone has to do is put in ?parent_id=whatever If you used some sort of login generator you can do something like current_user.children.find params[:child_id] That way you are pulling the current_user from the session. On Jun 4, 11:33 am, Jack Christensen <j...-/SOt/BrQZzMOf2zXYvRtkodd74u8MsAO@public.gmane.org> wrote:> Daniel Legrand wrote: > > I''m creating a registration page where parents register their children > > for an event. I have each parent give me a username and password to > > login and register their children. Parents also have the ability to > > come back and edit their children''s information. However, if I log in > > as a parent to edit my child''s information, I can type another parent''s > > child''s id into the URL to edit that child. > > > For instance, say I log into the system and view my children, and the > > link to this is: .../children/edit/1, where 1 is the id of my child. I > > can go up to the URL and type in .../children/edit/2, and edit the > > information of a child other than my own. Is there any simple way to > > stop this and allow parents to edit ONLY their assocaited children? > > > My aplogies if this is a simple question; I''m new to web development and > > Ruby on Rails. But if anyone has a solution or can point me to a > > resource that can answer my question, I''d greatly appreciate it. > > > Thanks. > > Daniel L > > You should be using associations to do the find. As in: > > @parent = Parent.find params[:parent_id] > @child = @parent.children.find params[:child_id] > > That will only find children of @parent. > > Check outhttp://api.rubyonrails.com/classes/ActiveRecord/Associations/ClassMet... > > -- > Jack Christensen > j...-/SOt/BrQZzMOf2zXYvRtkodd74u8MsAO@public.gmane.org--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Richard Luther wrote:> There is still a security issue doing it his way > @parent = Parent.find params[:parent_id] > since all someone has to do is put in ?parent_id=whatever > If you used some sort of login generator you can do something like > current_user.children.find params[:child_id] > That way you are pulling the current_user from the session.Thank you for your advice. I believe the problem has been resolved. Thanks again! -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You are going to have to model parents as well as children, or require they enter the username/password for each child separately. Then in the before_filter of your actions you need to verify that the session contains the username for the requested child. When they provide a username and password store the username in the session. If they fail to enter the correct username and password be sure to clear the session values so they can not keep trying. Michael On Jun 4, 11:29 am, Daniel Legrand <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> I''m creating a registration page where parents register their children > for an event. I have each parent give me a username and password to > login and register their children. Parents also have the ability to > come back and edit their children''s information. However, if I log in > as a parent to edit my child''s information, I can type another parent''s > child''s id into the URL to edit that child. > > For instance, say I log into the system and view my children, and the > link to this is: .../children/edit/1, where 1 is the id of my child. I > can go up to the URL and type in .../children/edit/2, and edit the > information of a child other than my own. Is there any simple way to > stop this and allow parents to edit ONLY their assocaited children? > > My aplogies if this is a simple question; I''m new to web development and > Ruby on Rails. But if anyone has a solution or can point me to a > resource that can answer my question, I''d greatly appreciate it. > > Thanks. > Daniel L > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---