How to safely let users submit custom themes/plugins for a Rails app
Posted
by Brian Armstrong
on Stack Overflow
See other posts from Stack Overflow
or by Brian Armstrong
Published on 2010-03-23T04:04:22Z
Indexed on
2010/03/23
4:11 UTC
Read the original article
Hit count: 351
In my rails app I'd like to let users submit custom "themes" to display data in various ways.
I think they can get the data in the view using API calls and I can create an authentication mechanism for this. Also an authenticated API to save data. So this is probably safe.
But i'm struggling with the best way to let users upload/submit their own code for the theme.
I want this to work sort of like Wordpress themes/plugins where people can upload the thing. But there are some security risks. For example, if I take the uploaded "theme" a user submits and put it in it's own directory somewhere inside the rails app, what are the risks of this?
If the user inserts any rails executable code in their theme, even though it's the view they have full access at that point to all the models, everyone's data, etc. Even from other users. So that is not good.
I need some way to let the uploaded themes exist in a sandbox of the rails app, but I haven't seen a good way to do this. Any ideas?
© Stack Overflow or respective owner