[Rails] ActionController design question
Stefan Kaes
skaes at gmx.net
Mon Feb 14 14:20:39 GMT 2005
With the current implementation, every public method of a controller is
a valid action name, which means that they are all callable via
factoring a corresponding url. So every rails application is open to
script kiddies. I think this is a major problem. I think it would be
preferable to specify the valid actions using a class method in the
controller declaration, e.g. like this:
actions :index, :show, :edit:, ...
This is easily implemented by adding a Hash containing the valid action
names to the ActionController, which can be used by the dispatcher to
determine whether the specified action name is valid. Scaffolding can
easliy changed to add the names of the generated actions to the
controller so this would not require much effort by the rails programmer.
I know this would break a lot of apps, but IMHO, the current state of
affairs is not acceptable. In order to mitigate this problem I suggest
adding an option variable that can be set in the config file. To give
you an idea what can be called via URI, I have listed the public methods
available for tinkering below.
-- stefan
=======================================================================
request=
to_yaml_type
instance_variables
call_consider_all_requests_local
fragment_cache_store=
frozen?
process
__send__
to_a
page_cache_directory
action_name
call_logger
perform_action_without_benchmark
call_ignore_missing_templates
cache_erb_fragment
page_cache_directory=
class
call_perform_caching
to_yaml_properties
instance_variable_get
expire_action
controller_class_name
cache_name_for
expire_page
render
to_s
perform_action_with_benchmark
view_controller_internals
send
url_for
clone
nil?
view_controller_internals=
display
expire_fragment
instance_variable_set
controller_name
inspect
expire_actions
instance_eval
render_without_benchmark
expire_matched_fragments
perform_action_without_rescue
dup
remove_subclasses_of
to_yaml
equal?
call_template_root
active_layout
methods
require
cache_page
render_with_benchmark
consider_all_requests_local
method
taint
subclasses_of
consider_all_requests_local=
eql?
index
hash
call_fragment_cache_store
showm
params
singleton_methods
ignore_missing_templates
params=
render_with_layout
extend
instance_of?
ignore_missing_templates=
is_complex_yaml?
perform_action_with_filters
read_fragment
id
template_class
session
protected_methods
tainted?
response
template_class=
kind_of?
untaint
session=
process_cgi
response=
before_action
write_fragment
call_template_class
__id__
rendered_action_cache
private_methods
call_view_controller_internals
==
headers
===
rendered_action_cache=
module_name
freeze
is_a?
perform_caching
logger
headers=
require_gem
after_action
paginate
object_id
perform_caching=
logger=
cookies
call_page_cache_directory
public_methods
=~
assigns
template_root
request
assigns=
respond_to?
fragment_cache_store
template_root=
type
============================================================================
More information about the Rails
mailing list