Forum: Ruby on Rails REST Route how to avoid hacking routes

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ee0293412faca21e4ebf3326ed9d5f8c?d=identicon&s=25 Kad Kerforn (kadoudal)
on 2007-06-30 19:34
what's the best protection against someone trying to modify an URL in a
named route

/users/25/posts

if the user enter another URL /users/26/posts, he can get acces to user
26 posts unless ..

a before_filter is checking the current_user ID

but is there any other way to do it  ?

thanks for your lights

kad
E785c26ac269824078a43c1dffec0614?d=identicon&s=25 pico (Guest)
on 2007-06-30 21:16
(Received via mailing list)
You shouldn't ever rely on routing to protect information from being
accessed or edited.  Not what it's for.

If only the current user can access his or her posts, I'd probably
create a route for that specifically, maybe something like:

/posts
/account/posts

That way you just go off current_user or session[:user] instead of
user_id.  Otherwise, you definitely need a before_filter.

On Jun 30, 11:34 am, Kad Kerforn <rails-mailing-l...@andreas-s.net>
Ee0293412faca21e4ebf3326ed9d5f8c?d=identicon&s=25 Kad Kerforn (kadoudal)
on 2007-06-30 23:08
pico wrote:
> You shouldn't ever rely on routing to protect information from being
> accessed or edited.  Not what it's for.
>
> If only the current user can access his or her posts, I'd probably
> create a route for that specifically, maybe something like:
>
> /posts
> /account/posts
>
> That way you just go off current_user or session[:user] instead of
> user_id.  Otherwise, you definitely need a before_filter.
>
> On Jun 30, 11:34 am, Kad Kerforn <rails-mailing-l...@andreas-s.net>

Thanks.. I understand better... I've never written such routes yet
(REST beginner...)
I believe it's only a matter of writting path without parameters
This topic is locked and can not be replied to.