You opened my eyes! I haven't figured out what private was. I thought that you could access the method logins/set_as_admin even if it was private because I thought by /logins/ you have access to the class, that's what I understood before when I read that private methods could accessed by the class itself and only.
So, private methods can be accessed only by public methods of the class, right? I wonder what protected is but I will search it and try some examples. Thanks again :) On 24 Μάϊος, 13:37, Andy Jeffries <a...@andyjeffries.co.uk> wrote: > > What would happened if you never use private methods? Will it be some > > security issue (and if yes, I'd like to see an example if it is > > possible) > > OK, here's a quick example. Assuming you have the default routing rules in > place so it handles /:controller/:action > > class LoginsController < ApplicationController > def create > @user = User.login(params) > if @user.admin? > set_as_admin > else > set_as_normal > end > end > > def set_as_admin > session[:user_type] = :admin > session[:user_id] = @user.id > end > > def set_as_normal > session[:user_type] = :normal > session[:user_id] = @user.id > end > end > > So you login with normal/password and it runs the internal method > "set_as_normal" to store the details in the session. You then > visithttp://www.example.com/logins/set_as_adminand BOOM! You're now an > administrator. This wouldn't be possible if you put "private" above "def > set_as_admin". > > It's a fairly simple example, and I wouldn't code logins like that, but it > shows that without declaring methods as private in controllers it gives the > user an easy way to access them. > > Just for completeness, the easiest protection for this in the real world is > to 1) disable the default routing, 2)don't use two methods for set_as_* - > use one and do the admin? check in that method. However, it was a simple > example off the top of my head as to why use private in a controller. > > Cheers, > > Andy > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-t...@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscr...@googlegroups.com. > For more options, visit this group > athttp://groups.google.com/group/rubyonrails-talk?hl=en. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
