Secure Form question

In cakephp, you have Secure component. It takes certain form values like id and User_id and such and encodes them. How is this done in rails ? I don't want the user to change ids on items for deletions and such.

Trausti

You can enable the :protect_from_forgery which puts in an authenticity token with every form. This is on by default in the new version of Rails. This is a random ID tied down with the session. This is not the same as what you are looking for, but it will probably suffice.

You can enable the :protect_from_forgery which puts in an authenticity token with every form. This is on by default in the new version of Rails. This is a random ID tied down with the session. This is not the same as what you are looking for, but it will probably suffice.

Actually i think it is completely different. That is protection from csrf attacts, whereas Trausti is (I think) concerned about a user editing the page to change the value of a hidden field or things like that.

Fred

You could always do it manually by encoding the ids in questions and storing the encoding in the form as well. On form validation, you could just ensure that the encoded string and the non-encoded string match up. That way, a hacker would need to change both strings to get the thing to work. Would that work or were you looking for something less manual like a gem or whatever?

Fredrik, exactly what I am after. Hashing/crypting the hidden fields.

How ?

If I do this manually, it is more than guaranteed that I will forget this someplace.

Trausti

You may want to take a look at attr_accessible / attr_protected and friends - they handle the common case where you don't want to allow mass-assignment of some attributes.

--Matt Jones