Rails - Aug 2010 - [newbie] when authenticating a resource, do i need to cover PUT, DELETE, POST actions?

Hi,

I''m using authentication with a :before_filter for controller actions
I want to restrict. I see that I''ll want to authenticate GET request
actions, but what about PUT, DELETE, POST requests? Can anyone
''get''
to these latter requests if all GET requests on a resource are
authenticated? In this same vein, how about covering ajax actions?

(The reason I don''t want to just protect everything is I don''t
want to
add tests unnecessarily...)

Thanks,

Lille

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 August 2010 19:42, Lille
<lille.penguini-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hi,
>
> I''m using authentication with a :before_filter for controller
actions
> I want to restrict. I see that I''ll want to authenticate GET
request
> actions, but what about PUT, DELETE, POST requests? Can anyone
''get''
> to these latter requests if all GET requests on a resource are
> authenticated? In this same vein, how about covering ajax actions?
I think all actions should be protected.  Assume that any action url
and request type can be generated by a hacker.

Colin

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.