-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue. There is no way to authorize the sortable resources. #30
Comments
Thanks @psmir |
@itmammoth
In SortableController you can do something like this:
|
Thanks @psmir |
authorize_rails_sortable does not depend on other libraries. It is a wrapper. You could demand this wrapper to return a boolean value. In order to authorize sortable resources, developers should define the wrapper something like this
You can use rails_sortable? method in SortableController to check records before sorting. If it returns false for some record you can skip one or raise an exception and stop sorting entirely. I don't think this is the best solution. I just wanted to clarify my thoughts. |
I understand your thoughts. |
@psmir - Thank you for finding the bug! @itmammoth - Due to the security implications, has there been any progress on this? |
Sorry for no progress. |
It is not possible to use this library in production until this security bug is fixed :( |
I made a PR to fix the issue. That might be NOT the best way, but I think good enough. |
[#30] Use message_verifier to prevent html from tampering
1.3.0 has been released. |
It is possible to change IDs in the markup and sort arbitrary sortable models. For example, a user can
change such code
to
and sort. After that the users will be reordered.
The text was updated successfully, but these errors were encountered: