Protection Against Form Modification
We have at least one blind spot in our user and role protection. The project show page has a form that submits a new task. That form is submitted to the TasksController, which doesnât handle any user-access control. The use case here is a malicious user not going through the web UI but creating his own HTTP request and pointing it at the server.
There are two important issues here, at least from my perspective as Rails Testing Author Guy. First is the habit of noticing when youâre using a resource thatâs being accessed as a result of a user request as opposed to being stored server-side. This is even true when the resource is protected indirectly, as in this case, where weâre accessing a Task that ...
Get Rails 4 Test Prescriptions now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
