On 16 Sep 2008, at 21:24, Fernando Perez <[EMAIL PROTECTED]
> wrote:
>
> Hi,
>
> I am working with restful_authentication plugin fresh install from
> today.
>
> In the users_controller one can read the following:
> ---
> There's no page here to update or destroy a user. If you add those,
> be
> smart -- make sure you check that the visitor is authorized to do so,
> that they
> supply their old password along with a new one to update it, etc.
> ---
> I thought Rails had a CSRF protection when submitting forms. Can it be
> hacked?
>
> If that is the case, this means that even for adding/removing/editing
> entries, an admin will be required to enter his password for each
> action
> he takes.
I think your conflating several issues. The comment is just saying
that you should be careful to restrict what users can update. That is
a completely separate issue to crsf.
Fred
>
>
> What do you think?
> --
> Posted via http://www.ruby-forum.com/.
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
