ruby - In Rails, How do I Validate that a User Has Access to Modify an Entry? -


in rails app, using devise authenticates users in app. gives me variables current_user.id current logged-in user's userid.

in app, every user member of @ least 1 group. user can create 1 or many trinkets , can assign each trinket 1 of groups.

so, here models:

user has_many :memberships user has_many :groups, :through => :memberships  group has_many :memberships group has_many :users, :through => :memberships group has_many :trinkets  trinket belongs_to :group

so there models! working great!

when user updates trinket, can assign trinket 1 of groups.

but, there security flaw! if views trinket/edit or trinket/new page, copies html source code, changes values of <select> or <input> tags in form, can submit trinket else's groupid.

i'd add validation model or controller confirms user has access use submitted values before writing them database. in case, want see if groupid trinket groupid within user.find(current_user.id).groups cannot figure out how validation in trinket model.

anyone know how verify user trying assign value have access assign to? devise or gem have way of checking associations user submitted data?

the current trinket model file has:

attr_accessible :trinketname, :group_id validates_presence_of :trinketname

hope makes sense. appreciated! :-)

versions: rails 3.2.13, ruby 1.9.3p392, devise 2.2.4. have protect_from_forgery in application_controller.rb file.

you can put if statement inside action. not accurate hope gets point across:

 def create    if trinket.group_id == current_user.group_id      trinket.new(params[:trinket])        if trinket.save          redirect_to somewhere        else           render :new        end    else           flash[:warn] "you're not allowed"  end

Comments

Post a Comment

Popular posts from this blog

linux - xterm copying to CLIPBOARD using copy-selection causes automatic updating of CLIPBOARD upon mouse selection -

i've tried various ways coerce xterm (versions 285 , 292) copy selection clipboard clipboard whenever press ctrl-shift-c. promising way far has been, in ~/.xresources, put this: xterm*vt100.translations: #override \ ctrl shift <keypress> c: copy-selection(clipboard) \n\ ctrl shift <keypress> v: insert-selection(clipboard) ctrl-shift-v works perfectly, copying has nuance... if restart xterm, highlighting text puts things in primary clipboard; expected, proper, default behavior. if hit ctrl-shift-c, copies current selection clipboard clipboard. the bug, however, if highlight text after first time pressed ctrl-shift-c, you'll see highlighting copies both primary and clipboard. cannot figure out how stop xterm updating clipboard upon selection... , doesn't make sense me in first place. i said, @ specific point in time, copy selection clipboard... yet starts updating automatically upon selection after doing once... anyone have workaround...
Read more

c++ - qgraphicsview horizontal scrolling always has a vertical delta -

Image
i've subclassed qgraphicsview custom canvas used in cad application. i've reimplemented qgraphicsview::wheelevent check keyboard modifiers control key and, if control key pressed, zoom. i'm trying implement horizontal scroll when user holds shift , uses wheel. the problem i'm having horizontal scrolling always scrolls 0.279. not huge problem, hugely annoying , points else being wrong. so, here questions: is right way implement horizontal scrolling? if not, is? how eliminate delta of 0.279? thanks in advance. code , sample output below void myview::zoom(int delta) { double factor = pow(1.2, delta/abs(delta)); this->scale(factor, factor); } void myview::scrollhorizontal(int level) { qpointf center = maptoscene(viewport()->rect().center()); qdebug() << "center: " << center.x() << ", " << center.y(); centeron(qpointf(center.x() - level, center.y())); } void myview::wheelevent(qwheeleve...
Read more