Databases
StackOverflow2013
Postsdbo
POIn Rails, How do I Validate that a User Has Access to Modify an Entry?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POIn Rails, How do I Validate that a User Has Access to Modify an Entry?
    text
    copied!<p>In my rails app, I am using Devise which authenticates users in the app. It gives me variables like <code>current_user.id</code> which is the current logged-in user's UserID.</p> <p>In my app, every User is a member of at least one Group. Any User can create one or many Trinkets and can assign each Trinket to one of their Groups.</p> <p>So, here are my models:</p> <pre><code>User has_many :memberships User has_many :groups, :through =&gt; :memberships Group has_many :memberships Group has_many :users, :through =&gt; :memberships Group has_many :trinkets Trinket belongs_to :group </code></pre> <p>So there are my models! Everything is working great!</p> <p>When a user updates a Trinket, they can assign that Trinket to one of their Groups.</p> <p>BUT, there is a security flaw! If someone views the Trinket/edit or Trinket/new page, copies the HTML source code, changes the values of the <code>&lt;SELECT&gt;</code> or <code>&lt;INPUT&gt;</code> tags in the form, they can actually submit their Trinket into someone else's GroupID.</p> <p>I'd like to add a validation into the model or controller so it confirms the user really has access to use the submitted values before writing them to the database. In this case, I want to see if the GroupID for this Trinket is a GroupID within <code>User.find(current_user.id).groups</code> but I cannot figure out how to do that validation in the Trinket model.</p> <p>Anyone know how to verify that a user is trying to assign a value to something that actually have access to assign it to? Does Devise or another gem have a way of checking associations for user submitted data?</p> <p>The current Trinket model file just has:</p> <pre><code>attr_accessible :trinketname, :group_id validates_presence_of :trinketname </code></pre> <p>Hope this makes sense. Help is appreciated! :-)</p> <p>Versions: Rails 3.2.13, Ruby 1.9.3p392, Devise 2.2.4. I do have <code>protect_from_forgery</code> in my application_controller.rb file.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload