Forum: Ruby on Rails Overcoming security via typing in the URL?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Daniel L. (Guest)
on 2007-06-04 22:29
I'm creating a registration page where parents register their children
for an event.  I have each parent give me a username and password to
login and register their children.  Parents also have the ability to
come back and edit their children's information.  However, if I log in
as a parent to edit my child's information, I can type another parent's
child's id into the URL to edit that child.

For instance, say I log into the system and view my children, and the
link to this is: .../children/edit/1, where 1 is the id of my child.  I
can go up to the URL and type in .../children/edit/2, and edit the
information of a child other than my own.  Is there any simple way to
stop this and allow parents to edit ONLY their assocaited children?

My aplogies if this is a simple question; I'm new to web development and
Ruby on Rails.  But if anyone has a solution or can point me to a
resource that can answer my question, I'd greatly appreciate it.

Thanks.
Daniel L
Jack C. (Guest)
on 2007-06-04 22:34
(Received via mailing list)
Daniel L. wrote:
> information of a child other than my own.  Is there any simple way to
> stop this and allow parents to edit ONLY their assocaited children?
>
> My aplogies if this is a simple question; I'm new to web development and
> Ruby on Rails.  But if anyone has a solution or can point me to a
> resource that can answer my question, I'd greatly appreciate it.
>
> Thanks.
> Daniel L
>
>
You should be using associations to do the find. As in:

@parent = Parent.find params[:parent_id]
@child = @parent.children.find params[:child_id]

That will only find children of @parent.

Check out
http://api.rubyonrails.com/classes/ActiveRecord/As...

--
Jack C.
removed_email_address@domain.invalid
Richard L. (Guest)
on 2007-06-04 23:00
(Received via mailing list)
There is still a security issue doing it his way
@parent = Parent.find params[:parent_id]
since all someone has to do is put in ?parent_id=whatever
If you used some sort of login generator you can do something like
current_user.children.find params[:child_id]
That way you are pulling the current_user from the session.
Daniel L. (Guest)
on 2007-06-04 23:26
Richard L. wrote:
> There is still a security issue doing it his way
> @parent = Parent.find params[:parent_id]
> since all someone has to do is put in ?parent_id=whatever
> If you used some sort of login generator you can do something like
> current_user.children.find params[:child_id]
> That way you are pulling the current_user from the session.

Thank you for your advice.  I believe the problem has been resolved.
Thanks again!
MichaelLatta (Guest)
on 2007-06-05 00:17
(Received via mailing list)
You are going to have to model parents as well as children, or require
they enter the username/password for each child separately.  Then in
the before_filter of your actions you need to verify that the session
contains the username for the requested child.  When they provide a
username and password store the username in the session.  If they fail
to enter the correct username and password be sure to clear the
session values so they can not keep trying.

Michael



On Jun 4, 11:29 am, Daniel L. <removed_email_address@domain.invalid>
This topic is locked and can not be replied to.