Home/ Questions/Q 6748365
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T12:33:22+00:00

Sorry if this is an elementary question but I’ve just started to consider whether

  • 0

Sorry if this is an elementary question but I’ve just started to consider whether I’ve been doing this correctly all along. Usually when a user tries to update the database, I simply use his/her username as the key in a user table and then base all operations on that. However I just realized that a crafty user MIGHT be able to submit a query using another username name thus circumventing this weak form of enforcing entitlements. So my question really is how do I prevent a user from potentially submitting a destructive action against a database under a different userid?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should store the current user’s ID in the session, which isn’t easily manipulated.

    I usually refer to the objects through a relation on a User object:

        current_user.fragile_records.find(params[:id]).destroy

    It’s a readable and simple way of doing an ownership test.

    http://guides.rubyonrails.org/security.html is a surprisingly good read on the subject.

    There are plenty of readymade solutions for maintaining user identity (authentication) and ensuring user has clearance for an action (authorization) in Rails.

    • 0