John, I feel like there definitely would be some security risk but I can't think of a real, solid example. Can you lay one out for me?
As for actually implementing this, my train of thought is to use ActiveRecord::Reflections to keep checking what a model belongs_to and then calling that association. - Michael Boutros On Monday, 4 June 2012 18:41:41 UTC-4, John Mileham wrote: > > One reason that the code to generate all those URLs seems not to be DRY > might be that any URL that can be programmatically deduced from the model > at the end of the chain is itself non-DRY. i.e. > /users/1/projects/2/issues/3 adds no more information than /issues/3 would > in that case. Obviously in some cases you want nested routes to provide a > more human-readable URL, but there are real security pitfalls to using > nested routes if you don't unpack the URLs correctly and validate the > associations in your receiving controller. > > I wonder whether a bit of vinegar might actually be a good thing in this > case? If you really want deeply nested routes, you have to do a little > more leg work, because the simpler and safer way is to avoid nesting. > Thoughts? > > -john > > On Mon, Jun 4, 2012 at 4:39 PM, Prem Sichanugrist <[email protected]>wrote: > >> I think it make a lot of sense. I'd +1 on this. >> >> I think since we already know what portion of the path is called, we can >> do something simple like: >> >> if record.respond_to? :project >> path_portion[1] = record.prefix >> end >> >> (that's psudocode btw, the actual impl will be more complex. Just to get >> you the idea.) >> >> - Prem >> >> On Jun 4, 2012, at 4:35 PM, Duncan Beevers wrote: >> >> > On Mon, Jun 4, 2012 at 3:32 PM, Ryan Bigg <[email protected]> >> wrote: >> >> Oh, reading this again it seems I was wrong. >> >> >> >> How would it guess the associations? >> > >> > Indeed >> > >> > The way that many apps deal with this pain is using shortcut urls like >> > /issues/5 that simply get the indicated record, look up the parent >> > records, and then figure out permissions based on the "implicit" >> > hierarchy. >> > >> >> >> >> -- >> >> Ryan Bigg >> >> >> >> On Tuesday, 5 June 2012 at 3:10, Michael Boutros wrote: >> >> >> >> Hello all, >> >> >> >> I'm working on a Rails app and I have resources nested three deep - >> let's >> >> call them user, project, and issues. The route helpers now look like >> >> user_project_issue_path(@user, @project, @issue). Would it make sense >> for >> >> Rails to guess the @user and @project relations from @issue? It just >> feels >> >> like a lot of redundant and non-DRY code. I'm willing to write the code >> >> myself (or die trying), but I just wanted to make sure this isn't by >> design. >> >> >> >> - Michael Boutros >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "Ruby on Rails: Core" group. >> >> To view this discussion on the web visit >> >> https://groups.google.com/d/msg/rubyonrails-core/-/2jig2rKv1xMJ. >> >> To post to this group, send email to [email protected] >> . >> >> To unsubscribe from this group, send email to >> >> [email protected]. >> >> For more options, visit this group at >> >> http://groups.google.com/group/rubyonrails-core?hl=en. >> >> >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "Ruby on Rails: Core" group. >> >> To post to this group, send email to [email protected] >> . >> >> To unsubscribe from this group, send email to >> >> [email protected]. >> >> For more options, visit this group at >> >> http://groups.google.com/group/rubyonrails-core?hl=en. >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Ruby on Rails: Core" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> [email protected]. >> > For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. >> > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. >> >> > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/Zdw0HifJd64J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
