Rails - Sep 2007 - Protecting actions from user

I have an action in controller called ''create'' that takes
values from
''new'' form and saves into database. The problem is that user
can type
../post/create and it sends blank values to action that then manipulates
them though I use ''new'' action for form.

What I am asking is that is there any way to protect such actions as
''create'' from being accessed through url so that it wont be
called since
it does not have anything to do with user directly?

P.S: If I put under ''create'' under ''private''
then ''new.rhtml'' view is
unable to access ''create''.

Thanks
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

when u generate a controller you get these lines (or, that is, you 
should)

 # GETs should be safe (see 
http://www.w3.org/2001/tag/doc/whenToUseGet.html)
 verify :method => :post, :only => [ :destroy, :create, :update ],
 :redirect_to => { :action => :list }


this line ( verify :method => :post ) does exactly what you want -> it 
verifies the url is a post method (ie, you can''t type it in directly 
into the address bar).
if someone does try to access (in the example above) one of the 
:destroy, :create or :update methods, he will automatically be 
redirected to the :list action.

hth
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Although, there is nothing stopping someone from posting from a fake 
form or a script, or setting the method manually the way rails fudges 
posts from certain ajax calls, etc. I think what you want is to make the 
method protected, not private.

Shai Rosenfeld wrote:
> when u generate a controller you get these lines (or, that is, you 
> should)
>
>  # GETs should be safe (see 
> http://www.w3.org/2001/tag/doc/whenToUseGet.html)
>  verify :method => :post, :only => [ :destroy, :create, :update ],
>  :redirect_to => { :action => :list }
>
>
> this line ( verify :method => :post ) does exactly what you want ->
it
> verifies the url is a post method (ie, you can''t type it in
directly
> into the address bar).
> if someone does try to access (in the example above) one of the 
> :destroy, :create or :update methods, he will automatically be 
> redirected to the :list action.
>
> hth
>   
-- 
Sincerely,

William Pratt


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

@William ... putting actions under protected does not work for me.
@Shai ... where do I put this code exactly?
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I would definitely suggest figuring out why it''s not working. The cold 
hard fact is that if you do not make a controller method protected or 
private, or implement some sort of authorization in a before filter that 
makes sure it''s not called, it can be called by your users. It sounds 
like maybe you need to revisit the how you have your methods structured.

Vapor Rails wrote:
> @William ... putting actions under protected does not work for me.
> @Shai ... where do I put this code exactly?
>   
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

@vapor (liked the variable notation) :

you should check into exactly what you are after - the line i posted 
above is a somewhat secure measure that you can''t type in the url into 
the address bar and do some funky stuff via typing in a url (this means 
it is a GET method). but, this doesn''t protect the method from being 
accessed by users, robots, small annoying spam programs and what not. it 
can be very easily accessed by a POST method (the default method for all 
the <form></form> in html, etc.)

if you want to stop ALL access from outside the application to your 
action, this verify :method => :post line won''t be enough, and
you''ll
have to check out will''s suggestion. but if it is sufficient enough for
you to block the user from inputing bad urls (but not blocking the 
method altogether) it should work fine for you.

gather up what your exact needs are, and .. good luck. :)
the line

 # GETs should be safe (see 
http://www.w3.org/2001/tag/doc/whenToUseGet.html) verify :method => 
:post, :only => [ :destroy, :create, :update ], :redirect_to => { 
:action => :list }

is usually on the top part of the controller, but i don''t think it 
really matters where u put it.

hth -

shai
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

William Pratt wrote:
> I would definitely suggest figuring out why it''s not working. 
It gives me this error when I submit  form...
No such file or directory - 
./script/../config/../app/views/post/create.rhtml

@Shai.. exactly...thanks for all the help :)

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

That error is simply stating that it can not find the template for that 
action. If you don''t specify a template to render, it will attempt to 
render a template for that action. You are either missing a template, or 
you are forgetting to render the correct one.

Vapor .. wrote:
> William Pratt wrote:
>   
>> I would definitely suggest figuring out why it''s not working. 
>>     
>
> It gives me this error when I submit  form...
> No such file or directory - 
> ./script/../config/../app/views/post/create.rhtml
>
> @Shai.. exactly...thanks for all the help :)
>
>   
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

William Pratt wrote:
> That error is simply stating that it can not find the template for that
> action. If you don''t specify a template to render, it will attempt
to
> render a template for that action. You are either missing a template, or
> you are forgetting to render the correct one.
actually there is not a template for ''create'' action. it just
saves
values to db and redirects to ''index''
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Vapor .. wrote:
> The problem is that user can type
> ../post/create and it sends blank values to action that then manipulates
> them though I use ''new'' action for form.
If the problem is the potential for bad input, rather than trying to 
protect the create action in some way (you need to keep it accessible so 
that new can get to it), you should use ActiveRecord''s validate methods
to make sure the input is good. The validate methods will be checked 
when the create method tries to save the input and will cause the save 
to fail if they don''t check out. So you usually do something like this:

def create
  @product = Product.new(params[:product])
  if @product.save
    flash[:notice] = ''Product was successfully created.''
    redirect_to :action => ''list''
  else
    render :action => ''new''
  end
end
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

see also attr_protected/attr_accessible which allows you to protect 
certain attributes from the mass assignment you do when you do 
Model.new(params). This means that for example the user can''t just add
a
''is_admin'' field to the form and set it to 1.

Fred
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi vapor,
even i faced same problem, but i designed my project in this way, i
don''t whether it suites your application,

in my application i don''t have any guest user and for each user the
access to page is restricted, except for
some default pages like login , logout etc..
The restriction is done with help of before_filter, so before any
thing gets executed it checks whether the user is logged in and has
particular action/actions
associated as part of his role.  And speaking about create method, as
Shai mentioned all your actions which changes the state of the
application should
never be submitted through get, and i guess you will be having proper
validation before serializing any thing.

Hope it helps,
Good Luck

On Sep 17, 2:27 pm, Vapor Rails
<rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
> I have an action in controller called ''create'' that takes
values from
> ''new'' form and saves into database. The problem is that
user can type
> ../post/create and it sends blank values to action that then manipulates
> them though I use ''new'' action for form.
>
> What I am asking is that is there any way to protect such actions as
> ''create'' from being accessed through url so that it wont
be called since
> it does not have anything to do with user directly?
>
> P.S: If I put under ''create'' under
''private'' then ''new.rhtml'' view is
> unable to access ''create''.
>
> Thanks
> --
> Posted viahttp://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---