Forum: Ruby on Rails exposing id'd

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Gareth R. (Guest)
on 2006-01-07 23:08
I have been working on a small app that started with some scaffolding.
Some of my actions still have the structure where the id's of things are
passed on the url for gets.

Whats the best way to avoid the security problems that this creates?

I am sure that there are many pages written on this topic but I guess I
have been searching for the wrong things.

Thanks

Gareth
Wilson B. (Guest)
on 2006-01-08 00:16
(Received via mailing list)
On 1/7/06, Gareth R. <removed_email_address@domain.invalid> wrote:
> I have been working on a small app that started with some scaffolding.
> Some of my actions still have the structure where the id's of things are
> passed on the url for gets.
>
> Whats the best way to avoid the security problems that this creates?
>
> I am sure that there are many pages written on this topic but I guess I
> have been searching for the wrong things.
>
You can use Routes to remove those id values (though I wouldn't call
them a security problem.)
http://manuals.rubyonrails.com/read/chapter/65

Also, if you define "to_param" in your models, you can make setting up
those routes even easier:
http://dev.rubyonrails.org/ticket/812
Gareth R. (Guest)
on 2006-01-08 01:40
Wilson B. wrote:
> On 1/7/06, Gareth R. <removed_email_address@domain.invalid> wrote:
>> I have been working on a small app that started with some scaffolding.
>> Some of my actions still have the structure where the id's of things are
>> passed on the url for gets.
>>
>> Whats the best way to avoid the security problems that this creates?
>>
>> I am sure that there are many pages written on this topic but I guess I
>> have been searching for the wrong things.
>>
> You can use Routes to remove those id values (though I wouldn't call
> them a security problem.)
> http://manuals.rubyonrails.com/read/chapter/65
>
> Also, if you define "to_param" in your models, you can make setting up
> those routes even easier:
> http://dev.rubyonrails.org/ticket/812

The issues that I am concerned about is just having users be able to
hack a url to give them access to something that they shouldnt have
access to. I probably should check that the current user has permissions
to see the thing that they are lookin for in each of the actions.

How do other people deal with this ?

Gareth
Kevin O. (Guest)
on 2006-01-08 01:44
Gareth R. wrote:
> The issues that I am concerned about is just having users be able to
> hack a url to give them access to something that they shouldnt have
> access to. I probably should check that the current user has permissions
> to see the thing that they are lookin for in each of the actions.
>
> How do other people deal with this ?

As a rule, security through obscurity is a bad idea.  It's better than
nothing, but not by much.  If you are concerned about who sees a record,
you need to set up some method to check and ensure that the user is
actually entitled to see it.  Exactly how you do that will depend on
your application and user model.
Gareth R. (Guest)
on 2006-01-08 01:51
Kevin O. wrote:
> Gareth R. wrote:
>> The issues that I am concerned about is just having users be able to
>> hack a url to give them access to something that they shouldnt have
>> access to. I probably should check that the current user has permissions
>> to see the thing that they are lookin for in each of the actions.
>>
>> How do other people deal with this ?
>
> As a rule, security through obscurity is a bad idea.  It's better than
> nothing, but not by much.  If you are concerned about who sees a record,
> you need to set up some method to check and ensure that the user is
> actually entitled to see it.  Exactly how you do that will depend on
> your application and user model.

Agreed. I was planning on doing both but not sure how or if its possible
to avoid exposing the ids urls.

Gareth
Michael S. (Guest)
on 2006-01-08 02:35
(Received via mailing list)
In general, you should assume that users can get to any URL in your app.
As
Kevin suggests, you need to write code to stop them WHEN they get to the
right URL, rather than just preventing them from knowing what the right
URL
is.

For example, the Salted Login code uses a before_filter in each
controller
that should be protected.  A user can only got to a protected URL if
they're
logged in.

Obviously, you want something more granular than that- it's not just
that
they're logged in, it's that they have certain rights on the particular
thing they're viewing or editing.  Again, as Kevin suggests, you need to
decide what those rights are and how they work for your app, and then
code
it.
Kevin O. (Guest)
on 2006-01-08 03:06
Gareth R. wrote:

> Agreed. I was planning on doing both but not sure how or if its possible
> to avoid exposing the ids urls.
>
> Gareth

Keep in mind that users can bookmark pages if you put the id in the URL.
If you want them to be able to do that, you need to keep the id's there.

One approach I have used in the past to hide the id is to stuff it into
the session hash.
Tom M. (Guest)
on 2006-01-08 04:17
(Received via mailing list)
On Jan 7, 2006, at 3:40 PM, Gareth R. wrote:

>>> I am sure that there are many pages written on this topic but I
>> http://dev.rubyonrails.org/ticket/812
>
> The issues that I am concerned about is just having users be able to
> hack a url to give them access to something that they shouldnt have
> access to. I probably should check that the current user has
> permissions
> to see the thing that they are lookin for in each of the actions.

I have a ticket in, with code attached, to provide one answer to this
question:

http://dev.rubyonrails.org/ticket/2408

--
-- Tom M.
Pat M. (Guest)
on 2006-01-08 08:11
(Received via mailing list)
On 1/7/06, Gareth R. <removed_email_address@domain.invalid> wrote:
> >>
> access to. I probably should check that the current user has permissions
> Rails mailing list
> removed_email_address@domain.invalid
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

One thing to keep in mind is to always use associations for finding
things when you've got them set up.  For example, you have a User
model and an JournalEntry model, and a User has many JournalEntries.
If you want users to only be able to access their own journal entries,
just be sure to access the entries through the user object.  So
something like this in your controller:

entry = session[:user].journal_entries.find(params[:id])

This ends up being the same as
JournalEntry.find_by_id_and_user_id(params[:id], session[:user].id),
but it's obviously way more concise and logical.

Anyway, that's a pretty simple way of making sure that people don't
get to view something they shouldn't.  As far as restricting access to
controllers and individual actions, you can look into using the
UserEngine which implements basic RBAC.

Pat
This topic is locked and can not be replied to.