Protect your XHR actions (RoR)

Using XHR within Ruby on Rails is as easy as adding up 1 and 1. We use e.g. the link_to_remote helper and point it to a controllers action. The small problem here is that the XHR actions are all available publicly. So calling the action directly within the browser works as well. I say ‘small’ problem because we cannot really prevent calling them directly but we can narrow the access only to XHR calls. We want to achieve that a common request to an XHR will fail. XHR actions will only be available if the request itself is an xhr?.

The solution with a bit of Rubyism: every xhr action needs to be postfixed with _xhr. If a calling request is not an xhr then we redirect the user the home url. For this we add a simple before_filter within our ApplicationController which will check all out actions. Here is the snippet… Continue reading

Ruby on Rails: Protect params from injection

Using the ActionControllers params method directly within your models can be very risky. You know doing this:[:user]). Someone could easily create his own form adding additional parameters and therefore updating your model without your knowledge. The reason is clear: you take all available attributes with params. This article shows some solutions to protect your forms against such injections. Continue reading