Secure ways of doing this

Which is the best way of doing this

I have an Article show page with a post form so when submitting the post
I give the article_id argument to the post create method in a different
controller.

Is there a question here?

What do you feel is “insecure” about what you are doing?

using a hiden_field shows the value to the user through source code
and using GET can make users change the value from the URL

You’re right.

How do you determine that a user has access to add a comment to a
specific
article? That’s the logic that you should put in you controller/model.

So if the user changes the article ID in the URL to an article that he
doesn’t have access to, it should throw an error.

Is this for a comment form? You would definitely need to send the
article_id to the comment, so it knows which article it belongs to.
But what I fail to see here is why this is a security failure. In
order to show the page, the ID (or whatever fills in for it, cf
friendly_id) must be in the URL.

Walter

Tim S. wrote in post #998504:

You’re right.

How do you determine that a user has access to add a comment to a
specific
article? That’s the logic that you should put in you controller/model.

So if the user changes the article ID in the URL to an article that he
doesn’t have access to, it should throw an error.

Any user can post on any article, but I dont think it’s a good idea to
use GET, but I dont think hidden_field is the best option, is there
another way of doing this?

Walter D. wrote in post #998505:

Is this for a comment form? You would definitely need to send the
article_id to the comment, so it knows which article it belongs to.
But what I fail to see here is why this is a security failure. In
order to show the page, the ID (or whatever fills in for it, cf
friendly_id) must be in the URL.

Walter

but i dont think GET method it’s a good way of getting data into a
database

On May 13, 2011, at 9:13 AM, Tomas R. wrote:

doesn’t have access to, it should throw an error.
friendly_id) must be in the URL.

Walter

but i dont think GET method it’s a good way of getting data into a
database

I fail to see the issue here. But I suppose you could use the session
for this, although if your permissions are the way you state – anyone
can see anything, anyone can post on anything – then it just doesn’t
mean anything. You’ve got all the Rails protection stuff running on
all user input, so it doesn’t look to me like there’s some threat here.

Walter

what if someone set article_id = 1000000
and article with id 1000000 doesnt exists

On 13 May 2011 15:34, Tomas R. [email protected] wrote:

what if someone set article_id = 1000000
and article with id 1000000 doesnt exists

What if they do that in the show method?

Are you catching RecordNotFound errors? Or are you checking for
.exists? in your controller before doing a find?

If they do that, then your application will explode. Actually I just
says can’t find the article with id = ### and the user will have to
move on.

What is the problem with the user changing the article id? If they
change it to another article they are allowed to post on oh well, if
they change it to an article they shouldn’t be allowed to post on you
need to catch it.

You can also use nested resources to achieve a url like /articles/1/
comments/new but again your still going to expose the article ID.

Then they get an error, and are told that they are an annoying git.
It’s not going to build a new article just for them if they’re fooling
around, right? Your comment create looks like this:

@article = Article.find(params[:comment][:article_id])
if @article
@article.comments << Comment.new(params[:comment])
@article.save
else
#go away, you’re an annoying git
end

Or there’s probably an even cleaner way to do this with a validation,
along the lines of comment.article must exist.

Or even better, you could be using accepts nested attributes for, and
post the comment to the article, not to the comments controller. That
would fail very early, because the parent article wouldn’t exist.

Walter

Ok I get it now.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs