Hi
thx for creating this awesome gem for json:api and rails. we're just adding it to our open source project.
we're using devise to check authorization of a single record. this record is fetched by params[:id], so our check is made based on the :id provided in the URL. When updating a record by PATCH, it was possible to override the given :id if one just sets another id to the provided json payload: data.attriubtes.id.
so to make sure no one is able to update any other records, we added the following to our ApplicationResource:
def self.find(params = {}, base_scope = nil)
# make sure both id params are the same
# for update since we're checking permission based on
# params :id
data_id = params[:data].try(:[], :id).try(:to_i)
param_id = params[:id].to_i
if data_id && param_id
raise ActionController::BadRequest unless data_id == param_id
end
super(params, base_scope)
endsince this is security relevant, we like to share this insight here. I'm sure other project are dealing with a similar situation. Maybe it would be also good to add some documentation about it.
maybe it would also be nice to have a Security chapter in the documentation. You could also mention there why it's save to use Resource.find(params) because rails developer are used to use strong_params and never put params directly to a find method.
Hi
thx for creating this awesome gem for json:api and rails. we're just adding it to our open source project.
we're using devise to check authorization of a single record. this record is fetched by params[:id], so our check is made based on the :id provided in the URL. When updating a record by PATCH, it was possible to override the given :id if one just sets another id to the provided json payload: data.attriubtes.id.
so to make sure no one is able to update any other records, we added the following to our ApplicationResource:
since this is security relevant, we like to share this insight here. I'm sure other project are dealing with a similar situation. Maybe it would be also good to add some documentation about it.
maybe it would also be nice to have a Security chapter in the documentation. You could also mention there why it's save to use Resource.find(params) because rails developer are used to use strong_params and never put params directly to a find method.