Today I learned about a Ruby Gem called pundit. Pundit revolves around the idea of policies. The idea is that we want to encapsulate all knowledge about who can do what with a particular object, in my case, I wanted to control who can interact with a photo inside instance method. So I created a photo policy class that would allow me to setup rules for how a user interacts with a photo. Who can delete a photo or edit a photo.
Here’s just some of the security issues that were addressed:
A user could edit any other user’s photos, captions, and comments, including deleting them
A user could see, accept, and reject other user’s follow requests
A user could guess at URL endpoints and find them, even if they aren’t linked, for example they could go to routes like:
/comments
/photos
/likes
/follow_requests
The Private profiles were not private at all.
I was able to address many of these security problems with:
Filters, before_action and skip_before_action.
Redirecting sending the user to a different page using redirect_to and redirect_back.
Ruby’s if/else statements to check if a user had permission to perform certain operations.
I was able to protect routes by deleting or limiting access with only: and except: after resources.
Security is an important concept to learn. I am excited by how much I was able to learn, but I know this is just the tip of the iceberg.
Top comments (0)