what''s the best protection against someone trying to modify an URL in a named route /users/25/posts if the user enter another URL /users/26/posts, he can get acces to user 26 posts unless .. a before_filter is checking the current_user ID but is there any other way to do it ? thanks for your lights kad -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You shouldn''t ever rely on routing to protect information from being accessed or edited. Not what it''s for. If only the current user can access his or her posts, I''d probably create a route for that specifically, maybe something like: /posts /account/posts That way you just go off current_user or session[:user] instead of user_id. Otherwise, you definitely need a before_filter. On Jun 30, 11:34 am, Kad Kerforn <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> what''s the best protection against someone trying to modify an URL in a > named route > > /users/25/posts > > if the user enter another URL /users/26/posts, he can get acces to user > 26 posts unless .. > > a before_filter is checking the current_user ID > > but is there any other way to do it ? > > thanks for your lights > > kad > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
pico wrote:> You shouldn''t ever rely on routing to protect information from being > accessed or edited. Not what it''s for. > > If only the current user can access his or her posts, I''d probably > create a route for that specifically, maybe something like: > > /posts > /account/posts > > That way you just go off current_user or session[:user] instead of > user_id. Otherwise, you definitely need a before_filter. > > On Jun 30, 11:34 am, Kad Kerforn <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>Thanks.. I understand better... I''ve never written such routes yet (REST beginner...) I believe it''s only a matter of writting path without parameters -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---