Friday, February 12, 2010

Authorization And You

I have been noticing a dangerous anti-pattern recently. It comes in the form of not enough authorization checking. When you have a function in your website that should only be available for particular users (administrators, moderators, whatever), you might be tempted to implement the code to restrict access once, in the view. Consider the following view to delete from a list of users (I snuck in the %: scriptlet tag which I've discussed before):

<% @users.each do |user| %>
<%: %>
<% if @me.can_delete_users? %>
<a href="/users/delete?id=<%: %>">delete</a>
<% end %>
<% end %>

This list might be accessible to everyone, but the deletion should be allowed only to privileged users. This could be a good argument to put all administrative features like this in their own actions/controllers, but there's really no need. Just be sure to check authorization again on the controller side:

class UsersController < ApplicationController
before_filter :construct_me # Set up @me from session

def delete
raise "Nice try!" unless @me.can_delete_users?
User.delete params["id"].to_i
redirect_to "/users/list"

def list
@users = User.find :all

Did you see the extra check that the user is allowed to delete users from within the delete action? That is extra critical. It's easy to consider relying on security through obscurity. Who will try that URL to delete the user if they have no idea what the URL is and what parameters are needed? If the URL were less obvious, you may be even more strongly considering just hiding the URL. While the thought to reduce code clutter and duplicated work may be tempting, it leaves a gaping hole to anyone malicious who decides to start playing around with URLs, searching for administrative functions they shouldn't have access to. You may even get disgruntled former administrators/moderators/whatever who knew the URLs to decide to have some nasty fun with those functions they've been since blocked from.

Security is a hard thing to get right, but there's no excuse to succumb to laziness and knowingly leave dangerous holes in your system. The more powerful the function, the more on edge you need to be for possible ways to break your security.

Note that my snippets include an XSRF hole, but that's a problem for another post.

1 comment:

Anne Mueller said...



I am contacting you because your profile listed interests that match some of our current job openings. We are looking for iPhone, Android and Java developers. I hope that even if you aren't looking for a job right now, you might know of someone else who would be interested and could pass the information along.

mFoundry's award-winning mobile platforms are used by some of the largest banks, payment companies and merchants in the US. The company is a recognized leader in mobile banking, mobile payments and secure mobile transactions, earning numerous accolades including “Best Virtual Prepaid Card” for the Starbucks application, the number one “Technology Company to Watch” by Bank Technology News, one of “10 Emerging Mobile Players to Watch” by IDC, and one of Fierce Wireless’ “Fierce 15”. mFoundry is based in the heart of Marin County, Larkspur, next to the Ferry Terminal. It is an easy commute from Highways 101 and/or 80. For more information, go to

We are having a recruiting event on June 17th. I've attached the flyer for this event for anyone you know who might be interested. Please also pass this along to anyone else who might know candidates for these positions. If there is anyone else I could or should contact, please let me know. This is a real opportunity to work for a great company in an exciting field.

Thank you,

Anne Mueller, HR Manager
p 415.925.8523
f 415.480.1567
mFoundry is hiring! Ask me about our $1000 referral bonus!

60 E. Sir Francis Drake Blvd, Ste 200
Larkspur, CA 94939