Thanks for answer, I will add the missing else super, but the main concern is still there. What is going to prevent someone calling url?scope=delete_all from messing up my database.
On Fri, Nov 11, 2011 at 2:16 AM, Sergio Cambra .:: entreCables S.L. ::. <[email protected]> wrote: > On Viernes, 11 de Noviembre de 2011 01:56:27 slava escribió: >> Hello, >> I want to be able to pass scope param into my embedded scaffold and >> wrote this method and put it the controller (should it go into >> helper?) >> >> def beginning_of_chain >> scope = params[:scope] ? params[:scope].to_sym : nil >> if scope and super.send(scope).class == ActiveRecord::Relation >> super.send scope >> end >> end > > You should add > else > super > > Or it won't work with params[:scope] is nil > >> >> My question is security related. What would prevent some one to pass >> param=delete_all and mess up my database and how can I protect against >> this. > > Change the scope test and use this: > super.class.scopes.keys.include? scope > >> >> thank you. > > -- > Sergio Cambra .:: entreCables S.L. ::. > Mariana Pineda 23, 50.018 Zaragoza > T) 902 021 404 F) 976 52 98 07 E) [email protected] > > -- > You received this message because you are subscribed to the Google Groups > "ActiveScaffold : Ruby on Rails plugin" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/activescaffold?hl=en. > > -- You received this message because you are subscribed to the Google Groups "ActiveScaffold : Ruby on Rails plugin" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/activescaffold?hl=en.
