hobo_create does not check permissions
Reported by Nicolas Oury | August 3rd, 2010 @ 09:52 AM | in Hobo 1.3 (Rails 3)
I don't know if it is general or just my configuration,
but it seems hobo_create does not check create_permitted? returns
true.
To convince oneself:
- create a Model - put its create_permitted? to true - go to
models/new (maybe in multiple windows, for added fun) - change
create_permitted? to true (or to raise "foo") - fill and submit the
forms - the model(s) are created.
I don't know if it can be used to forge fake forms submission (or if the authenticity token prevents that. I do not understand really how the authenticity token is generated), but it surely prevents permissions that might evolved with the state of the app. (Someone can keep a models/new open...)
I am running ruby 1.8.7, Hobo 1.0.1 and Rails 2.3.8.
I have not made the same tests for update or destroy.
Comments and changes to this ticket
-
Matt Jones September 14th, 2011 @ 11:05 PM
- State changed from new to open
- Milestone set to Hobo 1.3 (Rails 3)
- Milestone order changed from 197866 to 0
-
Matt Jones September 21st, 2011 @ 03:18 PM
- State changed from open to resolved
I can't reproduce this in 1.3 - turning off create permissions and submitting the form results in a
PermissionDeniedError
.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป