Web Dev Bros » Blog Archive » Protect your XHR actions (RoR)

Protect your XHR actions (RoR)

December 5, 2007, 4:50 pm by Michal

Using XHR within Ruby on Rails is as easy as adding up 1 and 1. We use e.g. the link_to_remote helper and point it to a controllers action. The small problem here is that the XHR actions are all available publicly. So calling the action directly within the browser works as well. I say 'small' problem because we cannot really prevent calling them directly but we can narrow the access only to XHR calls. We want to achieve that a common request to an XHR will fail. XHR actions will only be available if the request itself is an xhr?.

The solution with a bit of Rubyism: every xhr action needs to be postfixed with _xhr. If a calling request is not an xhr then we redirect the user the home url. For this we add a simple before_filter within our ApplicationController which will check all out actions. Here is the snippet...

RUBY:

class ApplicationController <ActionController::Base
before_filter :protect_xhr_actions
protected
#protects all actions which ends with '_xhr' against a direct call (no xhr)
def protect_xhr_actions
redirect_to home_url and false if self.action_name.ends_with?('_xhr') and !request.xhr?
end
end

Note: to use the home_url put something like the following into your routes.rb.

RUBY:

#this gives us a home_url
map.home '/', :controller => 'home'

You can also replace home_url by a hash pointing to specific controller and action. e.g. redirect_to {:controller => 'mycontroller', :action => 'myaction'} ...

2 Stars

3 Stars

4 Stars

5 Stars

(No Ratings Yet)

Loading ...

Category: Ruby on Rails | Comment (RSS)

Leave a Reply

subscribe to our feed
Web dev brothers
- What is that all about?
- Authors
  - Dave
  - Fabian
  - Julien
  - Michal
Recent Comments
- ajaxed 2.0 released (4)
  Michal: "Hi Sean, you might be interested in http://groups.google.com/gr..."
  
  Sean: "Michal, Is it possible to use ajaxed wth jquery instead of prototype ? If no, would it..."
- Generate JSON from VBScript (ASP) datatypes (181)
  Sam: "Two things: – I found two ASP libraries and couldn’t decide if either had..."
  
  Tony: "Hi Sam, Could you make it public, so we can test (and use ;-)) it?"
  
  Michal: "no, not really"
- Michal (9)
  Bren: "Hey Michal, Are there any plans to restart Jelly in BKK? I’m very interested in..."
- Keep session alive with Javascript (22)
  Mato: "Here’s a piece of PHP code, that I use to generate 1×1px jpeg image. You can..."
- Are you listening to music while coding? Then try this simple game … (4)
  Gellert: "Hi, Great idea.. thanks… now I know what i need blogs for. I think my life will..."
Categories
- .net (4)
- Adobe Flex (5)
  - Siam Flex (4)
- AJAX (6)
- Browsers (4)
- c# (8)
- classic ASP (VBScript) (29)
  - ajaxed (14)
- communities (4)
- CSS (5)
- Deutsche Artikel (11)
  - ASP (VBScript) (5)
  - CSS (2)
  - HTML pur (1)
  - Javascript (1)
- Events (1)
- fun (4)
- general stuff (24)
- google (4)
- Javascript (11)
- JSON (6)
- Mobile (3)
  - Android (3)
- nhibernate (3)
- PHP (4)
  - xajax (1)
- Pragmatic programmer (2)
- programming style (3)
- protoypejs (5)
- regular expressions (1)
- Reviews (1)
- Ruby on Rails (13)
- scriptaculous (4)
- SQL (3)
- Testing (2)
- tools (17)
- user interface design (6)
- visual studio (1)
- web 2.0 (5)
- web security (1)
- webdevbros (4)
- wordpress (1)
Friends blogs
Projects
Archives
- December 2009
- November 2009
- October 2009
- August 2009
- July 2009
- June 2009
- May 2009
- December 2008
- November 2008
- October 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- December 2006
- November 2006
- March 2006
- January 2006
- November 2005
- June 2005
- May 2005
- March 2005