Is it required that user provides his password to update?

fipa · September 16, 2008, 10:24pm

Hi,

I am working with restful_authentication plugin fresh install from
today.

In the users_controller one can read the following:

There’s no page here to update or destroy a user. If you add those, be
smart – make sure you check that the visitor is authorized to do so,
that they
supply their old password along with a new one to update it, etc.

I thought Rails had a CSRF protection when submitting forms. Can it be
hacked?

If that is the case, this means that even for adding/removing/editing
entries, an admin will be required to enter his password for each action
he takes.

What do you think?

fipa · September 16, 2008, 11:14pm

On 16 Sep 2008, at 21:24, Fernando P.
<[email protected]

wrote:

smart – make sure you check that the visitor is authorized to do so,
that they
supply their old password along with a new one to update it, etc.

I thought Rails had a CSRF protection when submitting forms. Can it be
hacked?

If that is the case, this means that even for adding/removing/editing
entries, an admin will be required to enter his password for each
action
he takes.

I think your conflating several issues. The comment is just saying
that you should be careful to restrict what users can update. That is
a completely separate issue to crsf.

Fred

fipa · September 16, 2008, 11:37pm

Are you sure about that?

I read that Rails 2.x uses http only cookies, so I guess that it is up
to the user to make sure his browser is secure and complies to standards
of security.

The issue about supplying the old password with the new one, is in the
case where the identity was stolen. The account is cracked, but the
password nor the email can be changed.

Do you remember about the Gmail security hole, that enabled a hacker to
create mail filters to redirect mail to his own account?

fipa · September 17, 2008, 1:40am

On Sep 17, 5:37 am, Fernando P. [email protected]
wrote:

Do you remember about the Gmail security hole, that enabled a hacker to
create mail filters to redirect mail to his own account?

Posted viahttp://www.ruby-forum.com/.

I think the comment is just saying that authentication and
authorization are two different beasts, i.e., the current user logged
in is indeed that user (authentication) as opposed to the current user
being allowed to change or update other users (authorization).

It is always a good idea to ask for a user’s old password whenever
he(?) is try to change it. There will always be instances when a user
can be just plain dumb - like forgetting to log off from a public
workstation.

Is it required that user provides his password to update?

In the users_controller one can read the following:

There’s no page here to update or destroy a user. If you add those, be smart – make sure you check that the visitor is authorized to do so, that they supply their old password along with a new one to update it, etc.

smart – make sure you check that the visitor is authorized to do so, that they supply their old password along with a new one to update it, etc.

Do you remember about the Gmail security hole, that enabled a hacker to create mail filters to redirect mail to his own account?

There’s no page here to update or destroy a user. If you add those, be
smart – make sure you check that the visitor is authorized to do so,
that they
supply their old password along with a new one to update it, etc.

smart – make sure you check that the visitor is authorized to do so,
that they
supply their old password along with a new one to update it, etc.

Do you remember about the Gmail security hole, that enabled a hacker to
create mail filters to redirect mail to his own account?