Menu
In this applicatin there are four roles,
role can get into unauthorized pages by editing the url ids and perform actions on available options with respect to the page, misleading to malfunctioning of the application.
any one have idea about this. Is it the problem of closing the session Or routes permition problem ... thanks in advance
694
Its nothing related to routes, you can restrict action access yourself with filters, i.e.
class MyController < ApplicationController
before_filter :check_access
def secure_action_a
end
def secure_action_b
end
private
def check_access
case params[:action]
when 'secure_action_a':
redirect_to root_path, error: "Not Allowed" unless current_user.role == 'admin'
when 'secure_action_b':
redirect_to root_path, error: "Not Allowed" unless current_user.role == 'user'
end
end
end
and also on an action, you should verify that the user has access to the resource, so let's say that you have an action that shows a transaction to the user, and that he can only see his transactions, if you write a code like:
def transaction
@transaction = Transaction.find(params[:id])
end
then you have a big issue, because anyone can start writting requests like "http://mywebsite.com/transaction/23" and see the transaction because there are not any filters on the current user, so you usually make sure that the user owns the resource
def transaction
@transaction = current_user.transactions.find(params[:id])
end
or either
def transaction
@transaction = Transaction.where(user_id: current_user.id, id: params[:id])
end
later you can advanced gems like cancan to control the access to the resources
finally, make sure to read the rails security guide
123
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
