Hello Dale,
We’re close to launching our application to the public. Although this
will be a closed alpha I’m still kind of concerned about the security
of using an incrementing integer for the id to sensitive database
records.
[snip]
@blog = Blog.find(:first, :conditions => [‘id = ? and user_id = ?’,
params:[blog][:id], session[:user_id]])
How do you handle user authentication and login? If you were to use
the restful_auth plugin for example, which assigns a current_user to
every controller (or current_whateveryoucalledyourusermodel), then
you can use associations in your User model like so:
class User < ActiveRecord::Base
has_many :blogs
# lots more stuff here from the restful_auth plugin if you used it
end
Then you can do in your controllers:
@blog = current_user.blogs.find(:first)
…and so on, in every place you access user specific data. You can
wrap most of this in a before_filter so that user related data are
loaded at the start of each controller method, or when needed.
Even if you don’t use the restful_auth plugin, you can add a line
like this to your application.rb
before_filter {|cntrlr| cntrlr.user = User.find(session[:user_id]) }
The above line assigns the current authenticate user object to all
controllers before any actions are called. That way in your
controller you have always available the @user with the current
authenticated user and you can do:
@blog = @user.blogs.find(:first)
If someone tried to do a http://localhost/blogs/show/1 your show
action with the above line would not find the record if it does not
belong to the user.
but is it enough? Does anyone have some opinion about this?
I’d say your own method is sufficient, but not quite ‘The Rails Way’.
Use associations, and plugins like above to make your code easier to
read and maintain.
-christos