Rails: How to produce 404 or redirect upon undesired url exploitation?
Posted
by Baby Diego
on Stack Overflow
See other posts from Stack Overflow
or by Baby Diego
Published on 2010-04-13T22:45:05Z
Indexed on
2010/05/09
21:28 UTC
Read the original article
Hit count: 285
I want to hide the urls for editing users and their profiles behind safer and meaningful urls. For instance, I want /user/13/edit
to be /settings/account
and /user/13/profile/edit
to be /settings/profile
.
I managed to achieve that, but for that I had to load the user information from the current_user
bit from the session. Like so:
# users_controller
def edit
@user = current_user
end
# profiles_controller
def edit
@user = current_user
@profile = @user.profile
end
But now, since I can't compare @user.id
from the params
with the current_user
in the session, how can I stop the old urls (/user/13/edit
and /user/13/profile/edit
) from being exploitable? They always load the forms for the current user, so there's no harm done, but I'd be more comfortable if they just produced a 404 error or something.
Thanks in advance.
© Stack Overflow or respective owner