I am designing a website which has many users, each user has many posts, and each post has many photos. Because I hope user can preview the upload photos when they are creating new post, I found the answer here, which suggested using a subform to upload photos.
I use carrierwaves to handle photo upload, and jquery-file-upload for user interface. The models are:
class User < ActiveRecord::Base
has_many :posts, dependent: :destroy
end
class Post < ActiveRecord::Base
attr_accessible :title, :description, :photo_ids
belongs_to :user
has_many :photos, :dependent => :destroy
end
class Photo < ActiveRecord::Base
mount_uploader :image, ImageUploader
attr_accessible :image
belongs_to :post
end
In the new post view, I put a jquery-file-upload UI above the normal post form, then:
When user select a photo, it will be uploaded to PhotosController via jquery-file-upload api. The post_id for this photo is nil at this step.
After photo uploaded finished, I use javascript to add a hidden input form like this:
input type="hidden" id="collection_image_ids" name="collection[collection_image_ids][]" value=#{the id of the photo}
User can repeat step 1&2 many times, then submit the post.
Everything works well, however....
I don't think it's a good idea to allow mass assignment for photo_ids because someone can use this request to assign other user's photo to his post. (in edit view) The reference answer suggested using some randomized access key to improve the security, but when someone visit other user's post, he can still get the randomized access key of those photos, right?
So the implementation is not safe for now right?
Could anyone give me some suggestions or what is the proper way to handle this problem?
