Hacker News new | ask | show | jobs
by Polylactic_acid 2322 days ago
The unscoped find issue is fairly easily solved by using devise's current_user in combination with something like cancancan. Let them send anything as a param but have the controller blow up if the user doesn't have permission to access it.

I suspect an insane number of websites are validated only by the frontend and can be exploited like this.
2 comments
atom_enger 2321 days ago
You'd suspect right :) I've had a huge number of bounties from this as a result of finding the pattern first on Reverb.
link
greenie_beans 2322 days ago
Can't this be solved with scoping via the pundit gem, as well?
link