« Ruby on Rails sessions - introduction and expiry | Main | Working with files in Rails »
Monday
Apr022007

Don’t trust primary key parameters

DateMonday, April 2, 2007 at 6:53PM

By default Ruby on Rails URLs have the following format: http://www.domain.com/project/show/1, whereas "show" is the action to be performed and "1" is the project id, which is the primary key of the project table (i.e. a project's main identifier is the id, but it could be something else, such as the name). It will be used in the controller to load the project with the id 1 and present it to the user in some form or another.

You have to keep in mind that a user access control may hinder unauthorized people to log in to the application. But if you want to prevent users from viewing or altering certain information, you will have to take additional precautions. For example, even though you don't have a link in your application to show the project with the id 2, you cannot hinder the user from entering the URL http://www.domain.com/ project/show/2. That means you have to check permissions every time someone wants to access an object, for example by verifying ownership:

# find the project with the id from the
# URL which is owned by the logged in user

@project = Project.find(params[:id], :conditions => \\
   ["user_id = ?", session[:user_id]]

 

Also, the Rails Way has a good post on this:

http://www.therailsway.com/2007/3/26/association-proxies-are-your-friend

AuthorHeiko | Comment4 Comments | Reference5 References |

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (5)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: Jess
    by Vincent at Vincent on March 9, 2011
    Sildenafil comparison diflucan sildenafil, Buy cialis mail online, Cgi site variable levitra. Buy tadalafil order tadalafil Vardenafil for women uk Buy cialis mail online Soft tadalafil tablet
  • Response
    Response: Aliska
    by Ghost at Ghost on May 10, 2011
    Kodak, Kodak Vintage, Kodak Printer. http://kodak.avatall.com/Kodak/Kodak-Film/ - Kodak Rare http://kodak.avatall.com/Kodak/Kodak-Mini-Video-Camera/ - Kodak Film http://kodak.avatall.com/Kodak/Kodak-Vintage/ - Kodak Mini Video Camera http://kodak.avatall.com/Kodak/Kodak-Easyshare-V1003/ - Kodak P850
  • Response
    Response: Neo-210
    by Indexxx at Indexxx on May 13, 2011
    Redline Bmx Racing Bikes 2000, Redline Bmx Racing Bikes 2000, Spinners For Bmx Bikes. http://bierba.info/Bmx-Bikes-Redline/Bmx-Bikes-Halfords/ - 1989 Redline Bmx Bike http://bierba.info/Bmx-Bikes-Redline/Bmx-Bikes-Cruiser/ - Bmx Bikes On Sell http://bierba.info/Bmx-Bikes-Redline/Bmx-Bikes-On-Sell/ - Size Standards Of Bmx Bike
  • Response
    Response: Wais
    by ArtMan at ArtMan on May 15, 2011
    All Wheel Drive Mountain Bikes, 650C Vs Mountain Bike Wheels, Used Mountain Bike Frame. http://revelin.info/Mountain-Bike-Wheels/Chainwheels-Mountain-Bike/ - Trek Womens Mountain Bike Xs 2000 http://revelin.info/Mountain-Bike-Wheels/Cheapest-Tag-Wheel-Mountain-Bike/ - Trek V Frame Mountain Bike
  • Response
    Response: Sonik
    by HER at HER on June 5, 2011
    Size 18 Womens Black Dresses, Alex Dresses For Women, Womens Extra Long Casual Dresses. http://seccoal.com/Dresses/Womens-Dresses-For-Chruch/ - Renaissance Dresses Women http://seccoal.com/Dresses/Prom-Dresses-For-Large-Women/ - White Summer Dresses For Women http://seccoal.com/Dresses/Womens-Casual-Dresses/ - Plus Size Dresses Women

Reader Comments (4)

I would say that in most cases if you are using find directly on a class, and not a proxy, that its a security issue waiting to happen.

The only exception to this might be common lookup tables like countries, timezones or currencies. For all other data access use proxies and otherwise you'll be more likely to show data meant for one user to another.

In your example above I'd probably create a method in ApplicationController called current_user that instantiated a User object from the user_id in the session. Then it would just be a matter of doing @project = current_user.projects.find(params[:id) assuming there was a has_many association between User and Project. I believe this is the pattern they recommend on the Rails Way blog.

April 2, 2007 | Unregistered CommenterDan Kubb

Brand ultram order ultram tramadol pain medicine. Tramadol ultram and acute pain. Ultram tramadol....

May 10, 2007 | Unregistered CommenterTramadol ultram and acute pain

Bdsm toon....

June 5, 2007 | Unregistered CommenterBdsm toon.

Don’t trust primary key parameters...

August 17, 2007 | Unregistered Commenteradult all-inclusive resort

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.