Rails - Nov 2007 - Hidden URL

Hello,

I have in my application a private public URL. For those who know
Flickr, it is sorta like the URL you give to your friend for them to
access your photos. Usually the URL looks like this:

http://www.domain.com/url/khjuytf678ysdfksdgihsd

Where "khjuytf678ysdfksdgihsd" is an encoded path. Let say I want to
have a public-private page for:

http://www.domain.com/event/124/pinvitation/12

Now I created a controller called URLController that take the encoded
path and redirect to it:
"khjuytf678ysdfksdgihsd" becomes "event/124/pinvitation/12"

That works well. But an evil mind can actually directly write "event/
124/pinvitation/12" in the browser and access the same page.

The other way I could do this is hide everything behind the
URLController and make the redirection transparent to the browser (so
the browser always thinks it is page "url/khjuytf678ysdfksdgihsd").
But I don''t know how I can achieve that because redirect_to always
change the url.

So my question is, how can I restrict the path "event/124/pinvitation/
12" as being redirected from the URLController. Can I put a condition
on the route for this?

I guess this is a classic problem :)

Thank you very much,
Julien.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

One initial thought I have is use the idea of always showing the  
browser the encoded url, but instead of redirecting, call the  
appropriate action from the URLController, but make those called  
actions protected so they can''t be called directly from a browser.  
Make sense? I haven''t tried or tested it, but it should work.

-Bill
On Nov 4, 2007, at 10:26 AM,
julien.guimont-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
> Hello,
>
> I have in my application a private public URL. For those who know
> Flickr, it is sorta like the URL you give to your friend for them to
> access your photos. Usually the URL looks like this:
>
> http://www.domain.com/url/khjuytf678ysdfksdgihsd
>
> Where "khjuytf678ysdfksdgihsd" is an encoded path. Let say I want
to
> have a public-private page for:
>
> http://www.domain.com/event/124/pinvitation/12
>
> Now I created a controller called URLController that take the encoded
> path and redirect to it:
> "khjuytf678ysdfksdgihsd" becomes
"event/124/pinvitation/12"
>
> That works well. But an evil mind can actually directly write "event/
> 124/pinvitation/12" in the browser and access the same page.
>
> The other way I could do this is hide everything behind the
> URLController and make the redirection transparent to the browser (so
> the browser always thinks it is page
"url/khjuytf678ysdfksdgihsd").
> But I don''t know how I can achieve that because redirect_to always
> change the url.
>
> So my question is, how can I restrict the path "event/124/pinvitation/
> 12" as being redirected from the URLController. Can I put a condition
> on the route for this?
>
> I guess this is a classic problem :)
>
> Thank you very much,
> Julien.
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hello,

Always show the encoded url will allow the user to bookmark the page
also, which is a good thing.
If I call the other controller actions using render... it does not
execute the controller code, it goes directly to render the associated
view.

Also what happens with the encoded url when the user trigger action on
the page (like leaving a comment for example). The url for the form
would be the url of the "protected" controller and not another encoded
url. So basically all URL for a private-public page will have to be
encoded in some way.

I am wondering if some deep functionality in rails can help me with
that.

Thanks,
Julien.

On Nov 4, 2:35 pm, William Pratt
<bi...-YbheRAKfYF4eIZ0/mPfg9Q@public.gmane.org>
wrote:
> One initial thought I have is use the idea of always showing the
> browser the encoded url, but instead of redirecting, call the
> appropriate action from the URLController, but make those called
> actions protected so they can''t be called directly from a browser.
> Make sense? I haven''t tried or tested it, but it should work.
>
> -Bill
> On Nov 4, 2007, at 10:26 AM,
julien.guim...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
>
>
> > Hello,
>
> > I have in my application a private public URL. For those who know
> > Flickr, it is sorta like the URL you give to your friend for them to
> > access your photos. Usually the URL looks like this:
>
> >http://www.domain.com/url/khjuytf678ysdfksdgihsd
>
> > Where "khjuytf678ysdfksdgihsd" is an encoded path. Let say I
want to
> > have a public-private page for:
>
> >http://www.domain.com/event/124/pinvitation/12
>
> > Now I created a controller called URLController that take the encoded
> > path and redirect to it:
> > "khjuytf678ysdfksdgihsd" becomes
"event/124/pinvitation/12"
>
> > That works well. But an evil mind can actually directly write
"event/
> > 124/pinvitation/12" in the browser and access the same page.
>
> > The other way I could do this is hide everything behind the
> > URLController and make the redirection transparent to the browser (so
> > the browser always thinks it is page
"url/khjuytf678ysdfksdgihsd").
> > But I don''t know how I can achieve that because redirect_to
always
> > change the url.
>
> > So my question is, how can I restrict the path
"event/124/pinvitation/
> > 12" as being redirected from the URLController. Can I put a
condition
> > on the route for this?
>
> > I guess this is a classic problem :)
>
> > Thank you very much,
> > Julien.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I wouldn''t call the other method using render, call the other method  
directly and let it render the results.

-Bill

On Nov 4, 2007, at 2:38 PM,
julien.guimont-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
> Hello,
>
> Always show the encoded url will allow the user to bookmark the page
> also, which is a good thing.
> If I call the other controller actions using render... it does not
> execute the controller code, it goes directly to render the associated
> view.
>
> Also what happens with the encoded url when the user trigger action on
> the page (like leaving a comment for example). The url for the form
> would be the url of the "protected" controller and not another
encoded
> url. So basically all URL for a private-public page will have to be
> encoded in some way.
>
> I am wondering if some deep functionality in rails can help me with
> that.
>
> Thanks,
> Julien.
>
> On Nov 4, 2:35 pm, William Pratt
<bi...-YbheRAKfYF4eIZ0/mPfg9Q@public.gmane.org> wrote:
>> One initial thought I have is use the idea of always showing the
>> browser the encoded url, but instead of redirecting, call the
>> appropriate action from the URLController, but make those called
>> actions protected so they can''t be called directly from a
browser.
>> Make sense? I haven''t tried or tested it, but it should work.
>>
>> -Bill
>> On Nov 4, 2007, at 10:26 AM,
julien.guim...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>>
>>
>>
>>> Hello,
>>
>>> I have in my application a private public URL. For those who know
>>> Flickr, it is sorta like the URL you give to your friend for them
to
>>> access your photos. Usually the URL looks like this:
>>
>>> http://www.domain.com/url/khjuytf678ysdfksdgihsd
>>
>>> Where "khjuytf678ysdfksdgihsd" is an encoded path. Let
say I want to
>>> have a public-private page for:
>>
>>> http://www.domain.com/event/124/pinvitation/12
>>
>>> Now I created a controller called URLController that take the  
>>> encoded
>>> path and redirect to it:
>>> "khjuytf678ysdfksdgihsd" becomes
"event/124/pinvitation/12"
>>
>>> That works well. But an evil mind can actually directly write  
>>> "event/
>>> 124/pinvitation/12" in the browser and access the same page.
>>
>>> The other way I could do this is hide everything behind the
>>> URLController and make the redirection transparent to the browser  
>>> (so
>>> the browser always thinks it is page
"url/khjuytf678ysdfksdgihsd").
>>> But I don''t know how I can achieve that because
redirect_to always
>>> change the url.
>>
>>> So my question is, how can I restrict the path "event/124/ 
>>> pinvitation/
>>> 12" as being redirected from the URLController. Can I put a  
>>> condition
>>> on the route for this?
>>
>>> I guess this is a classic problem :)
>>
>>> Thank you very much,
>>> Julien.
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hello,

I got into reading this:
http://weblog.jamisbuck.org/2006/10/4/under-the-hood-route-recognition-in-rails

And i think I can put the code for decrypting the url in a special
implementation of the route.

Let''s hope it doesn''t slow everthing down too much.

Thanks!
Julien.

On Nov 4, 5:40 pm, William Pratt
<bi...-YbheRAKfYF4eIZ0/mPfg9Q@public.gmane.org>
wrote:
> I wouldn''t call the other method using render, call the other
method
> directly and let it render the results.
>
> -Bill
>
> On Nov 4, 2007, at 2:38 PM,
julien.guim...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
>
>
> > Hello,
>
> > Always show the encoded url will allow the user to bookmark the page
> > also, which is a good thing.
> > If I call the other controller actions using render... it does not
> > execute the controller code, it goes directly to render the associated
> > view.
>
> > Also what happens with the encoded url when the user trigger action on
> > the page (like leaving a comment for example). The url for the form
> > would be the url of the "protected" controller and not
another encoded
> > url. So basically all URL for a private-public page will have to be
> > encoded in some way.
>
> > I am wondering if some deep functionality in rails can help me with
> > that.
>
> > Thanks,
> > Julien.
>
> > On Nov 4, 2:35 pm, William Pratt
<bi...-YbheRAKfYF4eIZ0/mPfg9Q@public.gmane.org> wrote:
> >> One initial thought I have is use the idea of always showing the
> >> browser the encoded url, but instead of redirecting, call the
> >> appropriate action from the URLController, but make those called
> >> actions protected so they can''t be called directly from a
browser.
> >> Make sense? I haven''t tried or tested it, but it should
work.
>
> >> -Bill
> >> On Nov 4, 2007, at 10:26 AM,
julien.guim...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
> >>> Hello,
>
> >>> I have in my application a private public URL. For those who
know
> >>> Flickr, it is sorta like the URL you give to your friend for
them to
> >>> access your photos. Usually the URL looks like this:
>
> >>>http://www.domain.com/url/khjuytf678ysdfksdgihsd
>
> >>> Where "khjuytf678ysdfksdgihsd" is an encoded path.
Let say I want to
> >>> have a public-private page for:
>
> >>>http://www.domain.com/event/124/pinvitation/12
>
> >>> Now I created a controller called URLController that take the
> >>> encoded
> >>> path and redirect to it:
> >>> "khjuytf678ysdfksdgihsd" becomes
"event/124/pinvitation/12"
>
> >>> That works well. But an evil mind can actually directly write
> >>> "event/
> >>> 124/pinvitation/12" in the browser and access the same
page.
>
> >>> The other way I could do this is hide everything behind the
> >>> URLController and make the redirection transparent to the
browser
> >>> (so
> >>> the browser always thinks it is page
"url/khjuytf678ysdfksdgihsd").
> >>> But I don''t know how I can achieve that because
redirect_to always
> >>> change the url.
>
> >>> So my question is, how can I restrict the path
"event/124/
> >>> pinvitation/
> >>> 12" as being redirected from the URLController. Can I put
a
> >>> condition
> >>> on the route for this?
>
> >>> I guess this is a classic problem :)
>
> >>> Thank you very much,
> >>> Julien.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---