O'Reilly logo

Rails 4 Test Prescriptions by Noel Rappin

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Protection Against Form Modification

We have at least one blind spot in our user and role protection. The project show page has a form that submits a new task. That form is submitted to the TasksController, which doesn’t handle any user-access control. The use case here is a malicious user not going through the web UI but creating his own HTTP request and pointing it at the server.

There are two important issues here, at least from my perspective as Rails Testing Author Guy. First is the habit of noticing when you’re using a resource that’s being accessed as a result of a user request as opposed to being stored server-side. This is even true when the resource is protected indirectly, as in this case, where we’re accessing a Task that belongs ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required