<ul>
<% @users.each do |user| %>
<li>
<%: user.name %>
<% if @me.can_delete_users? %>
<a href="/users/delete?id=<%: user.id %>">delete</a>
<% end %>
</li>
<% end %>
</ul>
This list might be accessible to everyone, but the deletion should be allowed only to privileged users. This could be a good argument to put all administrative features like this in their own actions/controllers, but there's really no need. Just be sure to check authorization again on the controller side:
class UsersController < ApplicationController
before_filter :construct_me # Set up @me from session
def delete
raise "Nice try!" unless @me.can_delete_users?
User.delete params["id"].to_i
redirect_to "/users/list"
end
def list
@users = User.find :all
end
end
Did you see the extra check that the user is allowed to delete users from within the delete action? That is extra critical. It's easy to consider relying on security through obscurity. Who will try that URL to delete the user if they have no idea what the URL is and what parameters are needed? If the URL were less obvious, you may be even more strongly considering just hiding the URL. While the thought to reduce code clutter and duplicated work may be tempting, it leaves a gaping hole to anyone malicious who decides to start playing around with URLs, searching for administrative functions they shouldn't have access to. You may even get disgruntled former administrators/moderators/whatever who knew the URLs to decide to have some nasty fun with those functions they've been since blocked from.
Security is a hard thing to get right, but there's no excuse to succumb to laziness and knowingly leave dangerous holes in your system. The more powerful the function, the more on edge you need to be for possible ways to break your security.
Note that my snippets include an XSRF hole, but that's a problem for another post.
4 comments:
Mike,
Hi,
I am contacting you because your Stackoverflow.com profile listed interests that match some of our current job openings. We are looking for iPhone, Android and Java developers. I hope that even if you aren't looking for a job right now, you might know of someone else who would be interested and could pass the information along.
mFoundry's award-winning mobile platforms are used by some of the largest banks, payment companies and merchants in the US. The company is a recognized leader in mobile banking, mobile payments and secure mobile transactions, earning numerous accolades including “Best Virtual Prepaid Card” for the Starbucks application, the number one “Technology Company to Watch” by Bank Technology News, one of “10 Emerging Mobile Players to Watch” by IDC, and one of Fierce Wireless’ “Fierce 15”. mFoundry is based in the heart of Marin County, Larkspur, next to the Ferry Terminal. It is an easy commute from Highways 101 and/or 80. For more information, go to www.mfoundry.com
We are having a recruiting event on June 17th. I've attached the flyer for this event for anyone you know who might be interested. Please also pass this along to anyone else who might know candidates for these positions. If there is anyone else I could or should contact, please let me know. This is a real opportunity to work for a great company in an exciting field.
Thank you,
Anne Mueller, HR Manager
mFoundry
p 415.925.8523
f 415.480.1567
anne@mfoundry.com
www.mfoundry.com
mFoundry is hiring! Ask me about our $1000 referral bonus!
http://mfoundry.com/company_jobs.html
http://www.linkedin.com/in/anneemueller
https://twitter.com/mfoundryrecruit
60 E. Sir Francis Drake Blvd, Ste 200
Larkspur, CA 94939
Ujjivan small finance bank net banking
ujjivan personal loan
UCO bank balance check
Block PNB Atm card
Baroda Rajasthan Kshetriya Gramin Bank
HDFC Credit Card balance
track ICICI Bank credit card
Abhyudaya bank mobile banking regitration
BOB ATM card apply
UBI net banking
Hi.
Thank you for sharing this information, this blog was good it’s gives good information about Loblaw Companies company share market information.
Here is sharing some Informatica PowerCenter information may be its helpful to you.
Informatica PowerCenter Training
Hi,
Great article! You've done your research. Keep up the excellent work! Looking forward to reading more from you.
https://www.gologica.com/course/oracle-bi-publisher-training/
Post a Comment