Application controller security

Shouldn’t everything in the application controller be protected by
default?

I just realized that my app can be called like this:
www.myapp.com/application/method and it actually tries to run that
method inside my application controller.

Is everyone else just adding “protected” at the top?

Thanks,
Chad

On Wed, 2006-11-01 at 20:06 -0800, Chad wrote:

Shouldn’t everything in the application controller be protected by
default?

I just realized that my app can be called like this:
www.myapp.com/application/method and it actually tries to run that
method inside my application controller.

Is everyone else just adding “protected” at the top?


I’m quite certain that this can be explained better by others but…

this is a function of ruby and the ruby bible, Programming Ruby provides
some insights as does AWDWR if I recall correctly.

All methods in your controllers are public unless they are specifically
made private or protected.

I can’t speak to what others do. I leave most controller methods
available to public but provide access control via
authorize/authenticate methodology mostly cribbed from Chad F.'s
Rails Recipes - in essence, assuming that a session belonging to a
validated user with appropriate rights controlled via roles will
ultimately govern access to the method(s) requested.

Craig

I agree I handle things the same way, but the application controller
public by default? That seems like a potential security risk for rails
web applications since EVERYONE has an application controller out of
the box.

cheers

On 11/1/06, Chad [email protected] wrote:

Shouldn’t everything in the application controller be protected by
default?

I just realized that my app can be called like this:
www.myapp.com/application/method and it actually tries to run that
method inside my application controller.

Is everyone else just adding “protected” at the top?

Yes! Public/protected/private method visibility is a natural way to
distinguish actions from their supporting methods. No need to introduce
a
special case here to sully that consistency.

jeremy

fair enough. done.