Our industrial-grade application is shaping up, but it's sorely lacking in one area: security. Right now, everyone can see everything and do everything (especially if they can guess URLs, which are easy to guess since we're following RESTful conventions and using sequential integer IDs).
Use what you've learned about:
- Filters:
before_actionandskip_before_action - Redirecting:
redirect_toandredirect_back - Devise's
current_usermethod. - Ruby's
if/elsestatements.
To add some security to our application. A non-exhaustive list of things to do:
- If I click delete on a photo that's not mine, I should be redirected back to the page I was on before.
- If I click edit on a photo that's not mine, I should be redirected back to the page I was on before.
- If I click delete on a comment that's not mine, I should be redirected back to the page I was on before.
- If I click edit on a comment that's not mine, I should be redirected back to the page I was on before.
- If I'm not a user's accepted follower, I can't see their posts (but I can visit their page, see their followers, and who they are following).
- Only a user should be able to see their own Pending follow requests.
- Is the application secure? Put on your white hacker hat: can you think of any other attacks?