Quote:
Originally Posted by gaming_mouse
ok i see what you mean now, but these both seem wrong to me. after the user logs in, you should have a session of some sort, either on the server or with a secure cookie. any updates to the user account would be done to the user in the valid session. i guess the thing that threw me was your use of "top level", as i don't see any hierarchies involved here. i didnt understand your widget example.
So, current_user just returns the User that correlates to the valid secure session. You can't fudge that.
But in the rails controller, if you permit an object to be altered just via the ID, it can be. That's why you need to explicitly say current_user.update_attributes instead of say User.find(params[:id]).update_attributes
We're arguing basically the same thing, which is that you need to find a way to restrict the updating to the user in the session. Would you do this differently?
The widget example was overly complex. If a User has_many widgets, how do you ensure that the widget that gets updated belongs to the proper user?
You'd have a route like /users/1/widgets/14 But you wouldn't want someone to be able to "put /users/1/widgets/14" if they're user #3.
The code
Code:
def update
@widget = Widget.find(params[:id])
@widget.update_attributes(params[:widget])
end
would allow anybody to update any widget. So fudging a put request with the ID of any widget would allow you to update it.
the code
Code:
def update
@widget = current_user.widgets.find(params[:id])
@widget.update_attributes(params[:widget])
end
will only allow you to update the widget if you are logged in and are the owner of the widget.
My example of gears is what happens if you keep going down levels... and want a sort of central way to authorize the object against the current_user. It's unwieldy to have long methods in every controller in a before_filter, and easy to miss a method here or there.