Home/ Questions/Q 6591983
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T17:29:44+00:00

So lets say I have a form for submitting a new post. The form

  • 0

So lets say I have a form for submitting a new post.

The form has a hidden field which specify’s the category_id. We are also on the show view for that very category.

What I’m worried about, is that someone using something like firebug, might just edit the category id in the code, and then submit the form – creating a post for a different category.

Obviously my form is more complicated and a different scenario – but the idea is the same. I also cannot define the category in the post’s create controller, as the category will be different on each show view…

Any solutions?

EDIT:

Here is a better question – is it possible to grab the Category id in the create controller for the post, if its not in a hidden field?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Does your site have the concept of permissions / access control lists on the categories themselves? If the user would have access to the other category, then I’d say there’s no worry here since there’s nothing stopping them from going to that other category and doing the same.

    If your categories are restricted in some manner, then I’d suggest nesting your Post under a category (nested resource routes) and do a before_filter to ensure you’re granted access to the appropriate category.

    config/routes.rb

    resources :categories do 
  resources :posts
end

    app/controllers/posts_controller

    before_filter :ensure_category_access

def create
  @post = @category.posts.new(params[:post])
  ...
end

private
def ensure_category_access
   @category = Category.find(params[:category_id])
   # do whatever you need to do. if you don't have to validate access, then I'm not sure I'd worry about this.  
   # If the user wants to change their category in their post instead of 
   # going to the other category and posting there, I don't think I see a concern?
end

    URL would look like

    GET
    /categories/1/posts/new
    POST
    /categories/1/posts

    • 0