On Viernes, 11 de Noviembre de 2011 19:10:06 Slava Mikerin escribió: > Thanks for answer, I will add the missing else super, but the main > concern is still there. What is going to prevent someone calling > url?scope=delete_all from messing up my database.
I answered you below. I copy it here: >> My question is security related. What would prevent some one to pass >> param=delete_all and mess up my database and how can I protect against >> this. > > Change the scope test and use this: > super.class.scopes.keys.include? scope > Test existing scope instead of calling the scope and testing whether it's a Relation > > > On Fri, Nov 11, 2011 at 2:16 AM, Sergio Cambra .:: entreCables S.L. > > ::. <[email protected]> wrote: > > On Viernes, 11 de Noviembre de 2011 01:56:27 slava escribió: > >> Hello, > >> I want to be able to pass scope param into my embedded scaffold and > >> wrote this method and put it the controller (should it go into > >> helper?) > >> > >> def beginning_of_chain > >> scope = params[:scope] ? params[:scope].to_sym : nil > >> if scope and super.send(scope).class == ActiveRecord::Relation > >> super.send scope > >> end > >> end > > > > You should add > > else > > super > > > > Or it won't work with params[:scope] is nil > > > >> My question is security related. What would prevent some one to pass > >> param=delete_all and mess up my database and how can I protect against > >> this. > > > > Change the scope test and use this: > > super.class.scopes.keys.include? scope > > > >> thank you. > > > > -- > > Sergio Cambra .:: entreCables S.L. ::. > > Mariana Pineda 23, 50.018 Zaragoza > > T) 902 021 404 F) 976 52 98 07 E) [email protected] > > > > -- > > You received this message because you are subscribed to the Google Groups > > "ActiveScaffold : Ruby on Rails plugin" group. To post to this group, > > send email to [email protected]. To unsubscribe from this > > group, send email to [email protected]. For > > more options, visit this group at > > http://groups.google.com/group/activescaffold?hl=en. -- Sergio Cambra .:: entreCables S.L. ::. Mariana Pineda 23, 50.018 Zaragoza T) 902 021 404 F) 976 52 98 07 E) [email protected] -- You received this message because you are subscribed to the Google Groups "ActiveScaffold : Ruby on Rails plugin" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/activescaffold?hl=en.
