Some of the methods we employ to address security issues are:
-before_action: We place this in the controller and name a function that we will write below in the private section that will be run before executing the specified routes. So for instance, before_action :is_authorized_user, only: [:destroy, :create] will run the function is_authorized_user before the create and destroy routes. We place them in the private section to follow the OOP principle of encapsulation and to increase security. This function outlines the logic determining if the current user is authorized to perform the create or destroy methods.
-skip_before_action
-redirect_to
-redirect_back will send the user to the route from which they came, and we can add fallback_location to specify where we want them to be sent in the case that your application can't tell what the previous page was. You can also add a notice.
-current_user
-if/else conditional statements
-only: and except: to limit the routes that are generated in resources (e.g. there's no point in having a delete route for something you don't want to be deletable).
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (0)