Don’t trust primary key parameters

By default Ruby on Rails URLs have the following format: http://www.domain.com/project/show/1, whereas "show" is the action to be performed and "1" is the project id, which is the primary key of the project table (i.e. a project's main identifier is the id, but it could be something else, such as the name). It will be used in the controller to load the project with the id 1 and present it to the user in some form or another.

You have to keep in mind that a user access control may hinder unauthorized people to log in to the application. But if you want to prevent users from viewing or altering certain information, you will have to take additional precautions. For example, even though you don't have a link in your application to show the project with the id 2, you cannot hinder the user from entering the URL http://www.domain.com/ project/show/2. That means you have to check permissions every time someone wants to access an object, for example by verifying ownership:

# find the project with the id from the
# URL which is owned by the logged in user

@project = Project.find(params[:id], :conditions => \\
   ["user_id = ?", session[:user_id]]

 

Also, the Rails Way has a good post on this:

http://www.therailsway.com/2007/3/26/association-proxies-are-your-friend