Lets say I have a session based login system:
username = session[:username] (jochen)
userid = session[:userid] (1)
Now I want to book a room:
http://127.0.0.1:3000/guests/1/bookings/new (works)
But when I type
http://127.0.0.1:3000/guests/5/bookings/new
I can book a room for a different user.
Whats the prefered way to deny success to urls including a userid so
that I can only
access these url which include my userid?
Thanx
–
Jochen
Why would you store the current user’s ID in the URL anyway? That’s a
major
security risk. It can be better handled by storing the user ID in a
session[:user] or session[:user_id] variable. Check out how
acts_as_authenticated and restful_authenticated does it.
On Dec 20, 2007 9:13 PM, Thorsten M.
[email protected]
wrote:
by the way: no need, to store the username in session, id is enough
–
Posted via http://www.ruby-forum.com/.
–
Ryan B.
Am 20.12.2007 um 12:24 schrieb Ryan B.:
Why would you store the current user’s ID in the URL anyway?
http://127.0.0.1:3000/guests/1/bookings/new
That’s the way rails does, or?
your user model defines:
has_many :bookings
so after finding the current user like:
def current_user
@current_user ||= User.find(session[:userid])
end
in application.rb you can use
current_user.bookings.create(…)
that way nobody can access data of somebody else.
same goes for index/show actions etc.
current_user.bookings.each do |booking|
…
end
by the way: no need, to store the username in session, id is enough
I would suggest installing the restful_authentication plugin
Once done one way of doing it is in the bookings controller add the
following filter
before_filter :login_required
And add a subsequent authorized? method to check if the url user_id
matches the current user, The code below checks the user is logged in
and is in the correct role.
def authorized?
logged_in? && (current_user.roles.in_role(‘company’) or
current_user.roles.in_role(‘admin’))
end
That’s the way rails does, or?
No, that’s not the way Rails should do something like that. It should
store it as a session variable.
–
Ryan B.
Unless you’re nesting your routes, which in this case might make sense.
–Jeremy
On Dec 20, 2007 3:00 PM, Ryan B. [email protected] wrote:
Ryan B.
http://www.frozenplague.net
–
http://www.jeremymcanally.com/
My books:
Ruby in Practice
My free Ruby e-book
My blogs:
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs