February 2018
Intermediate to advanced
406 pages
9h 52m
English
Content preview from Rails 5 Test PrescriptionsBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Protection Against Form Modification
There is at least one blind spot in the user and role protection. The project show page has a form that submits a new task. That form is submitted to the TasksController, which doesn’t handle any user-access control. The use case here is a malicious user not going through the web UI but rather creating his own HTTP request and pointing it at the server.
There are two important issues here, at least from my perspective as Rails Testing Author Guy. First is the habit of noticing when you’re using a resource that’s being accessed as a result of a user request as opposed to being stored server-side. This is even true when the resource is protected indirectly, as in this case, where you’re accessing a Task that ...