I notice that if your urls are in the form: domain.com/show/2 So, it''s easy for users to navigate to other pages sequentially (e.g. domain.com/show/3). Is it possible to encrypt the URLs such that it''s harder for users to "guess" where the other pages are located? for instance, a url encrypted as: domain.com/show/XyAdcZdF Any ideas? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Bob Sanders wrote:> I notice that if your urls are in the form: > > domain.com/show/2 > > So, it''s easy for users to navigate to other pages sequentially (e.g. > domain.com/show/3). Is it possible to encrypt the URLs such that it''s > harder for users to "guess" where the other pages are located? > > for instance, a url encrypted as: domain.com/show/XyAdcZdF > > Any ideas?Depends on your application. If you goal is to stop people from accessing pages sequentially, I''d ask why? Afraid of someone screen-scraping? They''ll figure out how to do it eventually. I''d concentrate my energy on building a great app, not stopping someone from possibly automating some task. If you''re afraid of someone accessing an object they''re not supposed to, association proxies are a great way to limit access. So, in your controller, instead of: @book = Book.find_by_user_id(params[:id]) Try... @book = @user.books.find(params[:id]) This way the scope of the find is limited to books owned by the user in session (or wherever). Hope that helps... -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Nov 2, 2007, at 6:14 AM, Bob Sanders wrote:> I notice that if your urls are in the form: > > domain.com/show/2 > > So, it''s easy for users to navigate to other pages sequentially (e.g. > domain.com/show/3). Is it possible to encrypt the URLs such that it''s > harder for users to "guess" where the other pages are located? > > for instance, a url encrypted as: domain.com/show/XyAdcZdF"Harder to guess" is never a viable strategy. Either your application allows access to record 3 for User X or it doesn''t. Guessing should have no part in controlling that. To enforce an ability where it "doesn''t" means filtering requests based on a user with a known profile. If logged-in User X is allowed to see only records which match a certain pattern, then your app has to mark records so that pattern can be searched for, and queries have to be dynamically generated based on user pofile data to find that pattern. -- gw --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
First things first. If you build already a great web application and your control of resources are adequate then perhaps it is time to play with urls. Most of people struggle to get urls more Google friendly or human readable, I hope that you have a clear idea on what you would like to achieve. Any hoe you can make some kind of hash function that will do mapping from hash value to and from :controller/:action/:id format. Little helper function and some route mapping and you can be on your way to make your great web app with adequate control of resources even better with links harder to guess. On Nov 2, 7:06 pm, Greg Willits <li...-0Bv1hcaDFPRk211Z5VL+QA@public.gmane.org> wrote:> On Nov 2, 2007, at 6:14 AM, Bob Sanders wrote: > > > I notice that if your urls are in the form: > > > domain.com/show/2 > > > So, it''s easy for users to navigate to other pages sequentially (e.g. > > domain.com/show/3). Is it possible to encrypt the URLs such that it''s > > harder for users to "guess" where the other pages are located? > > > for instance, a url encrypted as: domain.com/show/XyAdcZdF > > "Harder to guess" is never a viable strategy. Either your application > allows access to record 3 for User X or it doesn''t. Guessing should > have no part in controlling that. > > To enforce an ability where it "doesn''t" means filtering requests > based on a user with a known profile. If logged-in User X is allowed > to see only records which match a certain pattern, then your app has > to mark records so that pattern can be searched for, and queries have > to be dynamically generated based on user pofile data to find that > pattern. > > -- gw--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi guys, The reason why I want encrypted URLs is that it''s not that big of a deal if users find the other pages. I just don''t want them to be able to access the other pages so easily -- but also, where they don''t have to go through hoops to find the page they want. Is there a good way to do that? e.g. map.connect ":controller/:action:/XyZ12:id4215"... -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Couldn''t you f.ex add an URL field in the DB to which you assign some
random string like xWa2IUhkjwq23 when you create the page, and then
you could use:
@page = Page.find_by_url(params[:url])
in your Page model you could also add the following:
def to_param
url
end
That returns the url-parameter we added instead of the ID in cases
where the ID would normally be returned. Remember that you have to use
find_by_url when doing this!
You could also use the following
# Returns somethink like this
# 21-asdKjiWAOdl
# which would be rather easy to guess if the user
# isn''t totally dumb
def to_param
"#{id}-#{url}"
end
Rails will extract the ID when it needs it with some magic, but the
addresses are going to be a lot easier to guess! In this case you
could just use the normal Page.find()
Your routes could look something like this:
map.connect ":controller/:action:/:url"
Hope this helps.
S
On Nov 2, 7:29 pm, Bob Sanders
<rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:> Hi guys,
>
> The reason why I want encrypted URLs is that it''s not that big of
a deal
> if users find the other pages.
>
> I just don''t want them to be able to access the other pages so
easily --
> but also, where they don''t have to go through hoops to find the
page
> they want.
>
> Is there a good way to do that?
>
> e.g. map.connect ":controller/:action:/XyZ12:id4215"...
>
> --
> Posted viahttp://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
Here is a change to my previous post: If you want URLs like this: domain.com/show/XyAdcZdF you would have to make your routes look more like this: map.connect '':action:/:url'', :controller => ''the_controller'' On Nov 3, 11:17 am, Sebastian Probst Eide <sebastian.probst.e...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Couldn''t you f.ex add an URL field in the DB to which you assign some > random string like xWa2IUhkjwq23 when you create the page, and then > you could use: > > @page = Page.find_by_url(params[:url]) > > in your Page model you could also add the following: > > def to_param > url > end > > That returns the url-parameter we added instead of the ID in cases > where the ID would normally be returned. Remember that you have to use > find_by_url when doing this! > > You could also use the following > > # Returns somethink like this > # 21-asdKjiWAOdl > # which would be rather easy to guess if the user > # isn''t totally dumb > def to_param > "#{id}-#{url}" > end > > Rails will extract the ID when it needs it with some magic, but the > addresses are going to be a lot easier to guess! In this case you > could just use the normal Page.find() > > Your routes could look something like this: > > map.connect ":controller/:action:/:url" > > Hope this helps. > > S > > On Nov 2, 7:29 pm, Bob Sanders <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> > wrote: > > > Hi guys, > > > The reason why I want encrypted URLs is that it''s not that big of a deal > > if users find the other pages. > > > I just don''t want them to be able to access the other pages so easily -- > > but also, where they don''t have to go through hoops to find the page > > they want. > > > Is there a good way to do that? > > > e.g. map.connect ":controller/:action:/XyZ12:id4215"... > > > -- > > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Sebastian probst Eide wrote:> Here is a change to my previous post: > > If you want URLs like this: > > domain.com/show/XyAdcZdF > > you would have to make your routes look more like this: > > map.connect '':action:/:url'', :controller => ''the_controller'' > > On Nov 3, 11:17 am, Sebastian Probst EideThanks Sebastian! And, thanks everybody for your wonderful help. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---