You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
thx for creating this awesome gem for json:api and rails. we're just adding it to our open source project.
we're using devise to check authorization of a single record. this record is fetched by params[:id], so our check is made based on the :id provided in the URL. When updating a record by PATCH, it was possible to override the given :id if one just sets another id to the provided json payload: data.attriubtes.id.
so to make sure no one is able to update any other records, we added the following to our ApplicationResource:
defself.find(params={},base_scope=nil)# make sure both id params are the same# for update since we're checking permission based on# params :iddata_id=params[:data].try(:[],:id).try(:to_i)param_id=params[:id].to_iifdata_id && param_idraiseActionController::BadRequestunlessdata_id == param_idendsuper(params,base_scope)end
since this is security relevant, we like to share this insight here. I'm sure other project are dealing with a similar situation. Maybe it would be also good to add some documentation about it.
maybe it would also be nice to have a Security chapter in the documentation. You could also mention there why it's save to use Resource.find(params) because rails developer are used to use strong_params and never put params directly to a find method.
The text was updated successfully, but these errors were encountered:
Hi
thx for creating this awesome gem for json:api and rails. we're just adding it to our open source project.
we're using devise to check authorization of a single record. this record is fetched by params[:id], so our check is made based on the :id provided in the URL. When updating a record by PATCH, it was possible to override the given :id if one just sets another id to the provided json payload: data.attriubtes.id.
so to make sure no one is able to update any other records, we added the following to our ApplicationResource:
since this is security relevant, we like to share this insight here. I'm sure other project are dealing with a similar situation. Maybe it would be also good to add some documentation about it.
maybe it would also be nice to have a Security chapter in the documentation. You could also mention there why it's save to use Resource.find(params) because rails developer are used to use strong_params and never put params directly to a find method.
The text was updated successfully, but these errors were encountered: