If you used restful-authentication with the –stateful flag and did not add an admin_required filter, anyone can delete users. A patch is on github.
This is not the first time I have found this type of problem. Check your favourite authentication generator; is the default code secure? Can any new user delete others?
In a perfect world, programmers would read all the code that these generators create and check every comment for things to fix.
Realistically, that’s not what happens. For the activation emails, in my branch of r_a, I intentionally generate failing tests.
Once you have entered the appropriate values in your emails, the tests pass. Rather than hoping they read my notes, I am forcing the coder to fill in the blanks.
If you must communicate your gotchas using comments, at the very least, they should use FIXME or TODO keywords that are picked up by ‘rake notes’.
1 comment so far ↓
Dunno if it’s secure, cause the code isn’t really in the wild. But I think having a profile_controller that fetches current_user is cool.
http://github.com/leethal/blank-rails-app/tree/master/app/controllers/profile_controller.rb
Leave a Comment