Reputation: 46965
How to ensure that a user in Rails can update/insert/delete only his/her record in a database
Sorry if this is an elementary question but I've just started to consider whether I've been doing this correctly all along. Usually when a user tries to update the database, I simply use his/her username as the key in a user table and then base all operations on that. However I just realized that a crafty user MIGHT be able to submit a query using another username name thus circumventing this weak form of enforcing entitlements. So my question really is how do I prevent a user from potentially submitting a destructive action against a database under a different userid?
Upvotes: 0
Views: 228
Answers (1)
Reputation: 14179
You should store the current user's ID in the session, which isn't easily manipulated.
I usually refer to the objects through a relation on a User object:
current_user.fragile_records.find(params[:id]).destroy
It's a readable and simple way of doing an ownership test.
http://guides.rubyonrails.org/security.html is a surprisingly good read on the subject.
There are plenty of readymade solutions for maintaining user identity (authentication) and ensuring user has clearance for an action (authorization) in Rails.
Upvotes: 2
Related Questions
- how to let users only edit/delete their own items? Ruby on Rails
- Ruby-On-Rails How to allow only current user to edit and delete posts they have created
- Rails + Devise: How to restrict a user from editing records that do not belong to him
- Rails 3 Limiting Access so user can update only their data
- In Rails, How do I Validate that a User Has Access to Modify an Entry?
- Authorise user to edit only their account with Rails
- How can I make sure that a user can only edit his own entries?
- How do I prevent access to records that belong to a different user
- Ruby on rails more elegant way to authenticate that users can edit only their own content
- Restricting Edit and Delete