-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Record ID for authorization #441
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
thx for creating this awesome gem for json:api and rails. we're just adding it to our open source project.
we're using devise to check authorization of a single record. this record is fetched by params[:id], so our check is made based on the :id provided in the URL. When updating a record by PATCH, it was possible to override the given :id if one just sets another id to the provided json payload: data.attriubtes.id.
so to make sure no one is able to update any other records, we added the following to our ApplicationResource:
since this is security relevant, we like to share this insight here. I'm sure other project are dealing with a similar situation. Maybe it would be also good to add some documentation about it.
maybe it would also be nice to have a Security chapter in the documentation. You could also mention there why it's save to use Resource.find(params) because rails developer are used to use strong_params and never put params directly to a find method.
The text was updated successfully, but these errors were encountered: