[Nitro] Security problems

George Moschovitis george.moschovitis at gmail.com
Fri Nov 11 05:01:04 EST 2005


naah... I believe this is 'not a good thing'.

You should have a proper authorization system to prevent things like that ;-)
ie project/2 should be owned be a specific user.

the new constrained/scoped queries feature of Og 0.25.0 are *very* helpful here,
small example:

Project.with_scope(:condition => "user='gmosx'") do
  projects = Project.all # returns projects of gmosx
  project = Project[id] # only returns if the id project belobgs to gmosx
  ...
end

and stuff like that...

-g.




On 11/11/05, Emmanuel Piperakis <epiperak at softlab.ece.ntua.gr> wrote:
> > Dear devs,
> >
> > I am wondering if anyone has found (or can find) any security problems
> > with Nitro. Moreover, If anyone can suggest any common security
> > measures that could be wrapped in a controller helper/aspect I would
> > like to know. Even urls for (authoritive) articles regarding web site
> > security would be helpful.
>
> I am not sure if this can be done already, but I would like the path to be
> hidden. I would like to show only the main page URI. I think it is a
> security problem if a user sees things like http://myhost.com/project/1
>
> The users might type /2 by himself...
>
>   >
> > Thanks in advance,
> > George.
> >
> >
> > --
> > http://www.gmosx.com
> > http://www.navel.gr
> > http://www.nitrohq.com
> >
> > _______________________________________________
> > Nitro-general mailing list
> > Nitro-general at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/nitro-general
> >
>
> Emmanouil Piperakis (epiperak at cs.ntua.gr)
> {To explore is Human, to Create is Devine,
>   To teach is Primal, to Rule is Sin}
> _______________________________________________
> Nitro-general mailing list
> Nitro-general at rubyforge.org
> http://rubyforge.org/mailman/listinfo/nitro-general
>


--
http://www.gmosx.com
http://www.navel.gr
http://www.nitrohq.com




More information about the Nitro-general mailing list