I have what I hope is a simple question regarding a security practice
I’ve been using in my first Rails app. I want to know if it’s
worthwhile or if the extra typing isn’t worth it.
I have 3 models that are related to each other.
class User < AR:Base
class Library < AR:Base
class Item < AR:Base
In my library_controller, most of the actions should only be
available to a logged in user. Using the acts_as_authenticated plugin
I have setup the appropriate pieces and use a before_filter to
require the session to be that of a logged in user. So far, so good.
Here’s where things (finally) get interesting. When my controller
needs to edit an item, I typically do this:
@user = User.find_by_login(session[:user])
@library = @user.library
@item = @user.library.items.find(params[:id]) <— necessary?
It’s that second line in my #edit_item action that I’m curious about.
It works just fine if I do:
@item = Item.find(params[:id])
However, that second method looks insecure to me since I suppose it
is possible for a logged_in user to get malicious and try
substituting in some different :id values to see what gets returned.
The second action let’s that user essentially have access to the
entire table whereas the first action constrains their possible set
Am I right? (Be gentle, I’m a rails nuby.)