This is potentially a pretty big security hole for apps, right? For example: pos... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

erikpukinskis on March 20, 2013 | parent | context | favorite | on: Today's Email Incident

This is potentially a pretty big security hole for apps, right? For example:

    posts = current_user ? current_user.posts : Post.public
    posts = posts.where(:user_id => params[:user_id]) if params[:user_id]

In the old Rails, that code is guaranteed not to show any private posts. But with the new Rails it'll show you everything written by a user.

Granted, it's pretty awkward code, but I can imagine situations where people might be inclined to write something like that.

pjungwir on March 20, 2013 [–]

I think that sort of code is extremely common. It's a bit less awkward if `current_user` is never nil, but sometimes a non-saved Guest record, letting you write code like this:

    @posts = current_user.posts
    @posts = @posts.where(user_id: params[:user_id]) if params[:user_id]

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact