Honestly we should be storing the id and not the whole object in the session. Good catch!
Sean Andreas Schwarz wrote: > John W. Long wrote: > >> Can anyone shed light on how the attacker would be able to do this? >> > > Just a guess: Admin::UserController#preferences. > > >> only_allow_access_to :index, :new, :edit, :remove, :when => :admin, >> > > "preferences" is not in that list. > > >> @user = User.find(session['user'].id) >> > > Unless whiny_nils is enabled (which I strongly recommend), anyone can > pretend to be user #4, because nil.id = 4. > > >> if valid_params? >> > > Only password changes allowed, that should be OK for a hacker. > > I didn't try it, so I might have overlooked something, but maybe you > should take a look at it. > _______________________________________________ Radiant mailing list Post: [email protected] Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
