Protecting actions from user

I have an action in controller called ‘create’ that takes values from
‘new’ form and saves into database. The problem is that user can type
…/post/create and it sends blank values to action that then manipulates
them though I use ‘new’ action for form.

What I am asking is that is there any way to protect such actions as
‘create’ from being accessed through url so that it wont be called since
it does not have anything to do with user directly?

P.S: If I put under ‘create’ under ‘private’ then ‘new.rhtml’ view is
unable to access ‘create’.

Thanks

Although, there is nothing stopping someone from posting from a fake
form or a script, or setting the method manually the way rails fudges
posts from certain ajax calls, etc. I think what you want is to make the
method protected, not private.

Shai R. wrote:

verifies the url is a post method (ie, you can’t type it in directly
into the address bar).
if someone does try to access (in the example above) one of the
:destroy, :create or :update methods, he will automatically be
redirected to the :list action.

hth


Sincerely,

William P.

when u generate a controller you get these lines (or, that is, you
should)

GETs should be safe (see

http://www.w3.org/2001/tag/doc/whenToUseGet.html)
verify :method => :post, :only => [ :destroy, :create, :update ],
:redirect_to => { :action => :list }

this line ( verify :method => :post ) does exactly what you want -> it
verifies the url is a post method (ie, you can’t type it in directly
into the address bar).
if someone does try to access (in the example above) one of the
:destroy, :create or :update methods, he will automatically be
redirected to the :list action.

hth

I would definitely suggest figuring out why it’s not working. The cold
hard fact is that if you do not make a controller method protected or
private, or implement some sort of authorization in a before filter that
makes sure it’s not called, it can be called by your users. It sounds
like maybe you need to revisit the how you have your methods structured.

@William … putting actions under protected does not work for me.
@Shai … where do I put this code exactly?

@vapor (liked the variable notation) :

you should check into exactly what you are after - the line i posted
above is a somewhat secure measure that you can’t type in the url into
the address bar and do some funky stuff via typing in a url (this means
it is a GET method). but, this doesn’t protect the method from being
accessed by users, robots, small annoying spam programs and what not. it
can be very easily accessed by a POST method (the default method for all
the in html, etc.)

if you want to stop ALL access from outside the application to your
action, this verify :method => :post line won’t be enough, and you’ll
have to check out will’s suggestion. but if it is sufficient enough for
you to block the user from inputing bad urls (but not blocking the
method altogether) it should work fine for you.

gather up what your exact needs are, and … good luck. :slight_smile:
the line

GETs should be safe (see

http://www.w3.org/2001/tag/doc/whenToUseGet.html) verify :method =>
:post, :only => [ :destroy, :create, :update ], :redirect_to => {
:action => :list }

is usually on the top part of the controller, but i don’t think it
really matters where u put it.

hth -

shai

That error is simply stating that it can not find the template for that
action. If you don’t specify a template to render, it will attempt to
render a template for that action. You are either missing a template, or
you are forgetting to render the correct one.

William P. wrote:

I would definitely suggest figuring out why it’s not working.

It gives me this error when I submit form…
No such file or directory -
./script/…/config/…/app/views/post/create.rhtml

@Shai… exactly…thanks for all the help :slight_smile:

William P. wrote:

That error is simply stating that it can not find the template for that
action. If you don’t specify a template to render, it will attempt to
render a template for that action. You are either missing a template, or
you are forgetting to render the correct one.

actually there is not a template for ‘create’ action. it just saves
values to db and redirects to ‘index’

Vapor … wrote:

The problem is that user can type
…/post/create and it sends blank values to action that then manipulates
them though I use ‘new’ action for form.

If the problem is the potential for bad input, rather than trying to
protect the create action in some way (you need to keep it accessible so
that new can get to it), you should use ActiveRecord’s validate methods
to make sure the input is good. The validate methods will be checked
when the create method tries to save the input and will cause the save
to fail if they don’t check out. So you usually do something like this:

def create
@product = Product.new(params[:product])
if @product.save
flash[:notice] = ‘Product was successfully created.’
redirect_to :action => ‘list’
else
render :action => ‘new’
end
end

see also attr_protected/attr_accessible which allows you to protect
certain attributes from the mass assignment you do when you do
Model.new(params). This means that for example the user can’t just add a
‘is_admin’ field to the form and set it to 1.

Fred

Hi vapor,
even i faced same problem, but i designed my project in this way, i
don’t whether it suites your application,

in my application i don’t have any guest user and for each user the
access to page is restricted, except for
some default pages like login , logout etc…
The restriction is done with help of before_filter, so before any
thing gets executed it checks whether the user is logged in and has
particular action/actions
associated as part of his role. And speaking about create method, as
Shai mentioned all your actions which changes the state of the
application should
never be submitted through get, and i guess you will be having proper
validation before serializing any thing.

Hope it helps,
Good Luck

On Sep 17, 2:27 pm, Vapor R. [email protected]

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs