ruby on rails - Before filter on new and create actions? -


i have security related, general question rails.

let's assume have controller this:

def projectscontroller    before_action :user_has_paid, :only => [ :new, :create ]      ...    def new     @project = project.new   end    def create     @project = current_user.projects.build(project_params)     if @project.save       flash[:success] = "project saved."       redirect_to projects_path     else       render :new     end   end    ...    private      def user_has_paid       if current_user.has_not_paid?         flash[:notice] = "you must pay first."         redirect_to payments_path       end     end  end

from security point-of-view: need before_action on both new and create action?

to save couple of sql queries use on new action only, wonder if that's save or if malicious user might able circumvent new action , create project anyway, without having paid first.

thanks advice.

from security perspective you'll want have before_action on create action (otherwise malicious user user curl or bypass paying). whether have on new action depend on desired user experience - want users trying request 'new' view redirected (i.e. don't see view unless they've paid), or want allow users see view (and perhaps render warning message needing pay before submitting create action).

from performance standpoint, unless call current_user.has_not_paid? particularly intensive wouldn't worry queries.


-

Comments

Post a Comment

Popular posts from this blog

Java 8 + Maven Javadoc plugin: Error fetching URL -

i attempting generate javadoc links javadoc dependencies. have tried various means generate javadoc not produce qualified class names references classes dependencies. wanted links java doc simplified class names. however, java api classnames, no links , have qualified class names. working java 8. have following configuration: <plugin> <groupid>org.apache.maven.plugins</groupid> <artifactid>maven-javadoc-plugin</artifactid> <version>2.10.2</version> <configuration> <reportoutputdirectory>${project.basedir}/target</reportoutputdirectory> <destdir>javadoc</destdir> <windowtitle>epiphany</windowtitle> <doctitle>epiphany</doctitle> <show>private</show> <detectlinks>false</detectlinks> <detectoffline...
Read more

android - How to delete or change the searchview icon inside the SearchView actionBar? -

Image
how remove or change search view icon inside edittext? using appcompat library. i used below code modify , remove it's not working: searchmanager searchmanager = (searchmanager) getsystemservice(context.search_service); searchview.setsearchableinfo(searchmanager.getsearchableinfo(getcomponentname())); view search_mag_icon = (view)searchview.findviewbyid(android.support.v7.appcompat.r.id.search_mag_icon); search_mag_icon.setbackgroundresource(r.drawable.ic_stub); //search_mag_icon.setvisibility(view.gone); finally found solution. try following: try { field mdrawable = searchview.class.getdeclaredfield("msearchhinticon"); mdrawable.setaccessible(true); drawable drawable = (drawable)mdrawable.get(your search view here); drawable.setalpha(0); } catch (exception e) { e.printstacktrace(); }
Read more

c++ - Msgpack packing bools bug -

for c++ project use c++ msgpack library available in ubuntu (14.04) standard repository under name libmsgpack-dev. all works fine except when try pack bools. there things go absolutely bananas. first wrote simple test study pack method. turned out, can not trusted packing bools. here simple test showing problem: #include <msgpack.hpp> test_case("bool packing", "[msgpack1]") { msgpack::sbuffer buf; msgpack::packer<msgpack::sbuffer> p(&buf); std::string key = "boolvalue"; bool value = true; p.pack_map(1); { p.pack(key); p.pack(value); } msgpack::unpacked msg; msgpack::unpack(&msg, buf.data(), buf.size()); std::map<std::string, msgpack::object> m; msg.get().convert(&m); bool loaded_value; m.at(key).convert(&loaded_value); info("we packed: " << value); info("we loaded: " << loaded_value); r...
Read more