开发者

is this a secure approach in ActiveRecords in Rails?

开发者 https://www.devze.com 2022-12-25 23:54 出处:网络
I am using the following for my customers to unsubscribe from my mailing list; def index @user = User.find_by_salt(params[:subscribe_code])
相关专题:activerecordruby-on-rails

I am using the following for my customers to unsubscribe from my mailing list;

  def index
    @user = User.find_by_salt(params[:subscribe_code]) 
    if @user.nil? 
      flash[:notice] = "the link is not valid...."
      render :action => 'index'
    else    
      Notification.delete_all(:user_id => @user.id)
      flash[:notice] = "you have been unsubscribed....."
      redirect_to :controller => 'home'
    end 
  end

my link looks like; http://site.com/unsubscribe/32hj5h2j33j3h333

so the above compares the random string to a field in my user table and accordingly deletes data from the not开发者_如何学JAVAification table.

My question; is this approach secure? is there a better/more efficient way for doing this?

All suggestions are welcome.

I don't see anything wrong in your solution if the action doesn't require authentication.

If the action requires authentication then I would make sure that the salt belongs to the current user

@user = User.find_by_id_and_salt(current_user.id, params[:subscribe_code])

Is it all that important that the user be informed if their unsubscribe link was wrong? What are the chances of that anyway? Wasn't it generated programmatically and that program is tested? If the answer is "yes" (hint: it should be) then my suggestion would be to always tell the user that they've unsubscribed, regardless of what happened.

def index
  begin
    @user = User.find_by_salt!(params[:subscribe_code]) 
  rescue ActiveRecord::RecordNotFound
  ensure
    @user.notifications.delete_all if @user
    flash[:notice] = "You have been unsubscribed."
    redirect_to :action => "index"
  end
end

I think this is safer:

@user = User.find :all, :conditions => { salt => params[:subscribe_code] }

That way you are sure that Rails knows params[:subscribe_code] is to be escaped. There are probably lots of ways to write it that would work though.

your link should be

http://site.com/unsubscribe/?subscribe_code=32hj5h2j33j3h333

otherwise "32hj5h2j33j3h333" will get as a params[:id]

else is fine. Assuming subscribe_code will be unique.

0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

    关注公众号

    热门标签

    图文推荐

    Delphi - Custom drawing a message list

    Delphi - Custom drawing a message list
    C++ header-only include pattern

    C++ header-only include pattern
    IE7 Margin Collapses Into Padding

    IE7 Margin Collapses Into Padding
    in CoffeeScript, how can I use a variable as a key in a hash?

    in CoffeeScript, how can I use a variable as a key in a hash?
    Interactive visualization of a graph in python [closed]

    Interactive visualization of a graph in python [closed]
    How to customise PHP MYSQL tables?

    How to customise PHP MYSQL tables?
    High quality, simple random password generator

    High quality, simple random password generator
    Image Recognition ApI in android

    Image Recognition ApI in android

    开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

    法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

    Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9