It is easy to open a security hole in your Rails application. Fortunately, by scoping your finders, it is also easy to write your code without opening it. Here is an example. Let’s say you have a expense tracking application and the url is /expenses/151. Obviously this calls the expenses controller with a params[:id] = 151.
#bad: def show @expense = Expenses.find(params[:id]) end
#good: #@user is the logged on user. def show @expense = @user.expenses.find(params[:id]) end
The scoped finders actually add the proper where clause to the sql. It happens automatically. Without scoping the expense finder, anyone can see anyone else’s data. Generally you will want to set this up as a before filter. This also works for nested routes. Let’s say the url is /invoices/25/line_items/87:
class LineItemsController < ApplicationController before_filter :setup #snip many lines
protected def setup @invoice = @user.invoices.find(params[:invoiceid]) unless params[:invoiceid].blank? @lineitem = @invoice.blank? ? @user.lineitems.find(params[:id]) : @invoices.line_items.find(params[:id]) end end
You don’t have to use the @user variable. In Less Accounting we use sub-domains for each business. Since each business may have several users, all the controllers are scoped around the @business variable, which is determined by the sub-domain of the url. The @business variable itself is scoped by the @user variable.
If you wanted it to build a product you’d find a way to get time to work on it. If you really wanted to start that new hobby you’d sacrifice something to find the time and money to do it.
I'll define a "Wannabe Entrepreneur" as someone who has never made money from their businesses. Here are the different types of wannabes.
In the past few years I've built go-carts, built a 200+ sq ft workshop, written several eBooks. How do I create a life where I have time to work on side projects?
Receive 5 Software projects mistakes we have made over the years and how to avoid them.