Prefered way to deny access

Lets say I have a session based login system:

username = session[:username] (jochen)
userid = session[:userid] (1)

Now I want to book a room:

http://127.0.0.1:3000/guests/1/bookings/new (works)

But when I type

http://127.0.0.1:3000/guests/5/bookings/new

I can book a room for a different user.

Whats the prefered way to deny success to urls including a userid so
that I can only
access these url which include my userid?

Thanx


Jochen

Why would you store the current user’s ID in the URL anyway? That’s a
major
security risk. It can be better handled by storing the user ID in a
session[:user] or session[:user_id] variable. Check out how
acts_as_authenticated and restful_authenticated does it.

On Dec 20, 2007 9:13 PM, Thorsten M.
[email protected]
wrote:

by the way: no need, to store the username in session, id is enough


Posted via http://www.ruby-forum.com/.


Ryan B.
http://www.frozenplague.net

Am 20.12.2007 um 12:24 schrieb Ryan B.:

Why would you store the current user’s ID in the URL anyway?

http://127.0.0.1:3000/guests/1/bookings/new

That’s the way rails does, or?

your user model defines:

has_many :bookings

so after finding the current user like:

def current_user
@current_user ||= User.find(session[:userid])
end

in application.rb you can use

current_user.bookings.create(…)

that way nobody can access data of somebody else.
same goes for index/show actions etc.

current_user.bookings.each do |booking|

end

by the way: no need, to store the username in session, id is enough

I would suggest installing the restful_authentication plugin

Once done one way of doing it is in the bookings controller add the
following filter

before_filter :login_required

And add a subsequent authorized? method to check if the url user_id
matches the current user, The code below checks the user is logged in
and is in the correct role.

def authorized?
logged_in? && (current_user.roles.in_role(‘company’) or
current_user.roles.in_role(‘admin’))
end

That’s the way rails does, or?

No, that’s not the way Rails should do something like that. It should
store it as a session variable.


Ryan B.
http://www.frozenplague.net

Unless you’re nesting your routes, which in this case might make sense.

–Jeremy

On Dec 20, 2007 3:00 PM, Ryan B. [email protected] wrote:

Ryan B.
http://www.frozenplague.net


http://www.jeremymcanally.com/

My books:
Ruby in Practice

My free Ruby e-book
http://www.humblelittlerubybook.com/

My blogs:
http://www.mrneighborly.com/
http://www.rubyinpractice.com/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs