tags:

views:

51

answers:

4
+1  Q: 

is this a secure approach in ActiveRecords in Rails?

Hello,

I am using the following for my customers to unsubscribe from my mailing list;

  def index
    @user = User.find_by_salt(params[:subscribe_code]) 
    if @user.nil? 
      flash[:notice] = "the link is not valid...."
      render :action => 'index'
    else    
      Notification.delete_all(:user_id => @user.id)
      flash[:notice] = "you have been unsubscribed....."
      redirect_to :controller => 'home'
    end 
  end

my link looks like; http://site.com/unsubscribe/32hj5h2j33j3h333

so the above compares the random string to a field in my user table and accordingly deletes data from the notification table.

My question; is this approach secure? is there a better/more efficient way for doing this?

All suggestions are welcome.

A: 

I think this is safer:

@user = User.find :all, :conditions => { salt => params[:subscribe_code] }

That way you are sure that Rails knows params[:subscribe_code] is to be escaped. There are probably lots of ways to write it that would work though.

Mike Williamson  2010-04-09 08:23:20
The `User.find_by_salt` call escapes the string. So there is no difference.
KandadaBoggu  2010-04-09 08:27:37
I had a vague feeling that might be the case. Good to know for sure. Thanks!
Mike Williamson  2010-04-09 09:04:57
+3  A: 

I don't see anything wrong in your solution if the action doesn't require authentication.

If the action requires authentication then I would make sure that the salt belongs to the current user

@user = User.find_by_id_and_salt(current_user.id, params[:subscribe_code])
KandadaBoggu  2010-04-09 08:31:55
Thank you, there is no authentication. I just wanted to be sure it is ok. Thank you all.
Adnan  2010-04-09 11:13:59
A: 

your link should be

http://site.com/unsubscribe/?subscribe_code=32hj5h2j33j3h333

otherwise "32hj5h2j33j3h333" will get as a params[:id]

else is fine. Assuming subscribe_code will be unique.

Salil  2010-04-09 08:44:36
Not true, he may have `map.unsubscribe 'unsubscribe/:subscribe_code', :controller => "where", :action => "ever"`.
Ryan Bigg  2010-04-09 09:29:13
Yea Ryan that is what I have.
Adnan  2010-04-09 11:11:54
+1  A: 

Is it all that important that the user be informed if their unsubscribe link was wrong? What are the chances of that anyway? Wasn't it generated programmatically and that program is tested? If the answer is "yes" (hint: it should be) then my suggestion would be to always tell the user that they've unsubscribed, regardless of what happened.

def index
  begin
    @user = User.find_by_salt!(params[:subscribe_code]) 
  rescue ActiveRecord::RecordNotFound
  ensure
    @user.notifications.delete_all if @user
    flash[:notice] = "You have been unsubscribed."
    redirect_to :action => "index"
  end
end
Ryan Bigg  2010-04-09 09:33:30

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.