I''ve created a three tiered nested resource tree as defined below. My
problem is that it''s easy for a user to fake the URL and pull image
records from another users account since there is no check to see if
the image actually belongs to the user. Does anyone have a
recommendation on how I can secure this in a DRY manner? Is there
some sort of plugin or base functionality that I can''t seem to find by
googling?
map.resources :people do |person|
person.resources :events do |event|
event.resources :images
end
end
For example, if a user types in the following url they will get the
image whether or not the image is part of an event which belongs to
the specified user:
http://localhost/people/123/events/456/images/789
Thanks,
Mike
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
On Mar 14, 2008, at 11:28 PM, Mike Y wrote:> I''ve created a three tiered nested resource tree as defined below. My > problem is that it''s easy for a user to fake the URL and pull image > records from another users account since there is no check to see if > the image actually belongs to the user. Does anyone have a > recommendation on how I can secure this in a DRY manner? Is there > some sort of plugin or base functionality that I can''t seem to find by > googling? > > map.resources :people do |person| > person.resources :events do |event| > event.resources :images > end > end > > For example, if a user types in the following url they will get the > image whether or not the image is part of an event which belongs to > the specified user: > > http://localhost/people/123/events/456/images/789 > > Thanks, > > MikeIt seems that if you authenticate your user (probably your person), then you can safely assume ownership of events and images. So using your example, the ImagesController will be in charge of serving this page. This might translate to: {:controller => ''images'', :id => 789, :event_id=> 456, :person_id => 123} Thus, you might write code in your controller such as: if Session.user_authenticated(params[:person_id]) image = Person .find (params [:person_id]).events.find(params[:event_id]).images.find(params[:id]) else flash[:error] = ''go steal images someplace else'' end The "user_authenticated" method might be something you would add to RESTful Authentication to compare the params[:person_id] to the id of the current user. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
you might want to read the following about nesting resources more than 2 levels deep: http://weblog.jamisbuck.org/2007/2/5/nesting-resources having said that, the normal way to do this is by scoping to the specified resource: class EventsController < ApplicationController before_filter :get_person def get_person @person = People.find_by_id(params[:person_id]) end def index @events = @person.events end def edit @event = @person.events.find_by_id(params[:id]) ... end Mike On Sat, Mar 15, 2008 at 2:03 AM, s.ross <cwdinfo-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > On Mar 14, 2008, at 11:28 PM, Mike Y wrote: > > > I''ve created a three tiered nested resource tree as defined below. My > > problem is that it''s easy for a user to fake the URL and pull image > > records from another users account since there is no check to see if > > the image actually belongs to the user. Does anyone have a > > recommendation on how I can secure this in a DRY manner? Is there > > some sort of plugin or base functionality that I can''t seem to find by > > googling? > > > > map.resources :people do |person| > > person.resources :events do |event| > > event.resources :images > > end > > end > > > > For example, if a user types in the following url they will get the > > image whether or not the image is part of an event which belongs to > > the specified user: > > > > http://localhost/people/123/events/456/images/789 > > > > Thanks, > > > > Mike > > It seems that if you authenticate your user (probably your person), > then you can safely assume ownership of events and images. So using > your example, the ImagesController will be in charge of serving this > page. This might translate to: > > {:controller => ''images'', :id => 789, :event_id=> 456, :person_id => > 123} > > Thus, you might write code in your controller such as: > > if Session.user_authenticated(params[:person_id]) > image > Person > .find > (params > [:person_id]).events.find(params[:event_id]).images.find(params[:id]) > else > flash[:error] = ''go steal images someplace else'' > end > > The "user_authenticated" method might be something you would add to > RESTful Authentication to compare the params[:person_id] to the id of > the current user. > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---