In cakephp, you have Secure component. It takes certain form values like id and User_id and such and encodes them. How is this done in rails ? I don''t want the user to change ids on items for deletions and such. Trausti
You can enable the :protect_from_forgery which puts in an authenticity token with every form. This is on by default in the new version of Rails. This is a random ID tied down with the session. This is not the same as what you are looking for, but it will probably suffice. On Aug 19, 2:47 pm, Trausti Thor Johannsson <traust...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> In cakephp, you have Secure component. It takes certain form values > like id and User_id and such and encodes them. > How is this done in rails ? I don''t want the user to change ids on > items for deletions and such. > > Trausti
On Aug 19, 12:07 pm, Mukund <marut...-/E1597aS9LQAvxtiuMwx3w@public.gmane.org> wrote:> You can enable the :protect_from_forgery which puts in an authenticity > token with every form. This is on by default in the new version of > Rails. This is a random ID tied down with the session. This is not > the same as what you are looking for, but it will probably suffice. >Actually i think it is completely different. That is protection from csrf attacts, whereas Trausti is (I think) concerned about a user editing the page to change the value of a hidden field or things like that. Fred> On Aug 19, 2:47 pm, Trausti Thor Johannsson <traust...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > wrote: > > > > > In cakephp, you have Secure component. It takes certain form values > > like id and User_id and such and encodes them. > > How is this done in rails ? I don''t want the user to change ids on > > items for deletions and such. > > > Trausti
You could always do it manually by encoding the ids in questions and storing the encoding in the form as well. On form validation, you could just ensure that the encoded string and the non-encoded string match up. That way, a hacker would need to change both strings to get the thing to work. Would that work or were you looking for something less manual like a gem or whatever? On Wed, Aug 19, 2009 at 7:32 AM, Frederick Cheung < frederick.cheung-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > > On Aug 19, 12:07 pm, Mukund <marut...-/E1597aS9LQAvxtiuMwx3w@public.gmane.org> wrote: > > You can enable the :protect_from_forgery which puts in an authenticity > > token with every form. This is on by default in the new version of > > Rails. This is a random ID tied down with the session. This is not > > the same as what you are looking for, but it will probably suffice. > > > Actually i think it is completely different. That is protection from > csrf attacts, whereas Trausti is (I think) concerned about a user > editing the page to change the value of a hidden field or things like > that. > > Fred > > On Aug 19, 2:47 pm, Trausti Thor Johannsson <traust...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > wrote: > > > > > > > > > In cakephp, you have Secure component. It takes certain form values > > > like id and User_id and such and encodes them. > > > How is this done in rails ? I don''t want the user to change ids on > > > items for deletions and such. > > > > > Trausti > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Fredrik, exactly what I am after. Hashing/crypting the hidden fields. How ? If I do this manually, it is more than guaranteed that I will forget this someplace. Trausti On Wed, Aug 19, 2009 at 1:32 PM, Frederick Cheung<frederick.cheung-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > > On Aug 19, 12:07 pm, Mukund <marut...-/E1597aS9LQAvxtiuMwx3w@public.gmane.org> wrote: >> You can enable the :protect_from_forgery which puts in an authenticity >> token with every form. This is on by default in the new version of >> Rails. This is a random ID tied down with the session. This is not >> the same as what you are looking for, but it will probably suffice. >> > Actually i think it is completely different. That is protection from > csrf attacts, whereas Trausti is (I think) concerned about a user > editing the page to change the value of a hidden field or things like > that. > > Fred >> On Aug 19, 2:47 pm, Trausti Thor Johannsson <traust...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >> wrote: >> >> >> >> > In cakephp, you have Secure component. It takes certain form values >> > like id and User_id and such and encodes them. >> > How is this done in rails ? I don''t want the user to change ids on >> > items for deletions and such. >> >> > Trausti > > >
You may want to take a look at attr_accessible / attr_protected and friends - they handle the common case where you don''t want to allow mass-assignment of some attributes. --Matt Jones On Aug 19, 7:32 am, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Aug 19, 12:07 pm, Mukund <marut...-/E1597aS9LQAvxtiuMwx3w@public.gmane.org> wrote:> You can enable the :protect_from_forgery which puts in an authenticity > > token with every form. This is on by default in the new version of > > Rails. This is a random ID tied down with the session. This is not > > the same as what you are looking for, but it will probably suffice. > > Actually i think it is completely different. That is protection from > csrf attacts, whereas Trausti is (I think) concerned about a user > editing the page to change the value of a hidden field or things like > that. > > Fred > > > > > On Aug 19, 2:47 pm, Trausti Thor Johannsson <traust...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > wrote: > > > > In cakephp, you have Secure component. It takes certain form values > > > like id and User_id and such and encodes them. > > > How is this done in rails ? I don''t want the user to change ids on > > > items for deletions and such. > > > > Trausti