Reputation: 1488
Edit Update actions in Rails?
I have been through M. Hartl's book on ROR Tutorial and in there for the Edit and Update action for the user the book uses "@user = User.find(params[:id])" to find the user and then for authorization purposes adds a "correct_user" method which checks if @user is the current user. The thing that is baffling me is that why can't I just find the user to begin with using "@user = current_user" in the edit and update actions so that I don't have to worry about users passing in other User ID's through the URL. Does this approach I am thinking of leave any security loopholes? I am using Devise so I already have a current_user method handy.
Upvotes: 0
Views: 97
Answers (1)
Reputation: 2275
One potential problem with that approach is that it might be a user with special privileges (admin, moderator, etc.) trying to edit another user that they are allowed to update. Best to stick with fetching from the database. Also, if rails has already fetched the user in the current request cycle, the object should be cached, so it shouldn't actually do a second database request anyways.
Upvotes: 1
Related Questions
- Ruby on Rails - Edit Update Action
- How to add different edit/update method into rails controller?
- doing a updated edit form
- Edit/Update calls the create in ruby on rails
- Ruby on Rails - Edit not working
- Rails update_attribute
- Is it possible to update from an action/method other than the update action/method in Ruby on rails?
- Ruby Update Method
- In place editing in Rails
- Rails - Updating a record?