what’s the best protection against someone trying to modify an URL in a
named route
/users/25/posts
if the user enter another URL /users/26/posts, he can get acces to user
26 posts unless …
a before_filter is checking the current_user ID
but is there any other way to do it ?
thanks for your lights
kad
You shouldn’t ever rely on routing to protect information from being
accessed or edited. Not what it’s for.
If only the current user can access his or her posts, I’d probably
create a route for that specifically, maybe something like:
/posts
/account/posts
That way you just go off current_user or session[:user] instead of
user_id. Otherwise, you definitely need a before_filter.
On Jun 30, 11:34 am, Kad K. [email protected]
pico wrote:
You shouldn’t ever rely on routing to protect information from being
accessed or edited. Not what it’s for.If only the current user can access his or her posts, I’d probably
create a route for that specifically, maybe something like:/posts
/account/postsThat way you just go off current_user or session[:user] instead of
user_id. Otherwise, you definitely need a before_filter.On Jun 30, 11:34 am, Kad K. [email protected]
Thanks… I understand better… I’ve never written such routes yet
(REST beginner…)
I believe it’s only a matter of writting path without parameters
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs