rb
class Message < ActiveRecord::Base
belongs_to :user
end
app/controllers/messages_controller.rb
class MessagesController < ApplicationController
def show
@message = Message.find params[:id]
end
end
That example would allow anyone to read any message, even messages owned by
other users. In this case, you probably want to restrict viewing of messages to the
users that own them. The proper way to do that is:
Application Issues | 135
def show
@message = Message.find_by_user_id_and_id(current_user.id,
params[:id])
end
This automatically gives you protection against users viewing messages they don??™t
own, by raising a RecordNotFound exception.
Secure Fallback
Now that many Rails applications incorporate some amount of AJAX, fallback is an
important concern. Depending on your users??™ needs, either graceful degradation
(starting with a full-featured site, then testing and fixing for older browsers) or
progressive enhancement (starting with minimal features and adding features for
newer browsers) may be the catch phrase. In either case, developing for older browsers
involves fallback, or using a less-preferred option when the preferred option fails.
It is important that fallback is secure??”otherwise, attackers could force the application
into fallback mode in order to subvert its weaknesses.
A typical example of fallback on the Web is using a regular form post when a Java-
Script form post fails: