Frederick Cheung wrote in post #1019792:
> On Sep 2, 12:58pm, 7stud -- <li...@ruby-forum.com> wrote:
>>
>> >>> get_user_from_session.id.to_s # User with ID = 1
>> >>> User.find('1-user-name') # User with ID = 1
>>
>> > so comparing params[:id] with the User ID converted to string will not
>> > always be equal.
>>
>> I understand what you are saying, I just don't see how it's relevant to
>> my problem.
>>
> I suspect that if you inspected the two things you are comparing you'd
> see the relevance. I assume this is not using rails 3.1 ?
>
> Fredrails 3.0.9 Your response does point out a difference in the two code snippets I posted: case 1: get_user_from_session.id.to_s == params[:id] ***user1 signs in, which puts his id in the session*** If a malicious user goes to the edit page, and see this url in the address bar: http://localhost:3000/users/1/edit and changes that to: http://localhost:300/users/1-user-name/edit and refreshes the page, he will be **redirected** because: get_user_from_session.id.to_s will equal '1' and: params[:id] will equal '1-user-name' case 2: get_user_from_session == User.find(params[:id]) ***user1 signs in, which puts his id in the session*** If a malicious user goes to the edit page, and see this url in the address bar: http://localhost:3000/users/1/edit and changes that to: http://localhost:300/users/1-user-name/edit and refreshes the page, he will be **shown his own edit** page again because: get_user_from_session will return user1 and: User.find(params[:id]) will return user1 I really don't care what happens in that case, and I don't understand why that would cause my tests to fail. With both versions of the code, if the user changes the url from: http://localhost:3000/users/1/edit to: http://localhost:3000/users/4/edit then he will be redirected and not allowed to edit user4's info. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
