team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

small update to A7

Browse Source
This commit is contained in:
Mike McCabe
2013-11-14 11:24:15 -05:00
parent f53ab56e92
commit 3ec9765ca3
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/views/layouts/tutorial/access_control/_access_control_first.html.erb
+2 -2
View File
@@ -66,13 +66,13 @@
</p> </p>
<p><b>Failure to Restrict URL Access - SOLUTION</b></p> <p><b>Failure to Restrict URL Access - SOLUTION</b></p>
<p class="desc"> <p class="desc">
The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to enforce the filter on all access requests to the admin dashboard as follows: The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to remove the conditional and enforce the filter on all access requests to the admin dashboard as follows:
</p> </p>
<pre class="ruby"> <pre class="ruby">
<%= %q{ <%= %q{
class AdminController < ApplicationController class AdminController < ApplicationController
before_filter :administrative, :if => :admin_param before_filter :administrative
} %> } %>
</pre> </pre>
</div> </div>