Secure Form question

In cakephp, you have Secure component. It takes certain form values
like id and User_id and such and encodes them.
How is this done in rails ? I don't want the user to change ids on
items for deletions and such.

Trausti

You can enable the :protect_from_forgery which puts in an authenticity
token with every form. This is on by default in the new version of
Rails. This is a random ID tied down with the session. This is not
the same as what you are looking for, but it will probably suffice.

You can enable the :protect_from_forgery which puts in an authenticity
token with every form. This is on by default in the new version of
Rails. This is a random ID tied down with the session. This is not
the same as what you are looking for, but it will probably suffice.

Actually i think it is completely different. That is protection from
csrf attacts, whereas Trausti is (I think) concerned about a user
editing the page to change the value of a hidden field or things like
that.

Fred

You could always do it manually by encoding the ids in questions and storing the encoding in the form as well. On form validation, you could just ensure that the encoded string and the non-encoded string match up. That way, a hacker would need to change both strings to get the thing to work. Would that work or were you looking for something less manual like a gem or whatever?

Fredrik, exactly what I am after. Hashing/crypting the hidden fields.

How ?

If I do this manually, it is more than guaranteed that I will forget
this someplace.

Trausti

You may want to take a look at attr_accessible / attr_protected and
friends - they handle the common case where you don't want to allow
mass-assignment of some attributes.

--Matt Jones