Hi,
I am working with restful_authentication plugin fresh install from today.
In the users_controller one can read the following:
Hi,
I am working with restful_authentication plugin fresh install from today.
In the users_controller one can read the following: --- There's no page here to update or destroy a user. If you add those,
be smart -- make sure you check that the visitor is authorized to do so, that they supply their old password along with a new one to update it, etc. --- I thought Rails had a CSRF protection when submitting forms. Can it be hacked?If that is the case, this means that even for adding/removing/editing entries, an admin will be required to enter his password for each
action he takes.
I think your conflating several issues. The comment is just saying
that you should be careful to restrict what users can update. That is
a completely separate issue to crsf.
Fred
Are you sure about that?
I read that Rails 2.x uses http only cookies, so I guess that it is up to the user to make sure his browser is secure and complies to standards of security.
The issue about supplying the old password with the new one, is in the case where the identity was stolen. The account is cracked, but the password nor the email can be changed.
Do you remember about the Gmail security hole, that enabled a hacker to create mail filters to redirect mail to his own account?
I think the comment is just saying that authentication and authorization are two different beasts, i.e., the current user logged in is indeed that user (authentication) as opposed to the current user being allowed to change or update other users (authorization).
It is always a good idea to ask for a user's old password whenever he(?) is try to change it. There will always be instances when a user can be just plain dumb - like forgetting to log off from a public workstation.