0

I have two RoR3 application:

  • http://users.domain.local
  • http://profiles.domain.local

I created the 'users/models/profile.rb':

class Profile < ActiveResource::Base
  self.site = "http://profiles.domain.local"
end

In 'profiles/models/profile.rb' I have:

attr_accessible :name

My profile's SQL table contains these columns:

  • id
  • name
  • user_id

So if I run Profile.create(:name => "test_name") a new profile will be created in http://profiles.domain.local with the name "test_name".

For obvious security reasons, I don't want to make accessible the 'user_id' attribute, but I need to set that on the profile creation from the 'users' application.

I tryed a lot of way do make that, but I can't find an easy solution. Maybe, it is possible with an if statement near the 'attr_accessible' of the 'profile' application that fill a request from the 'user' application.

Can somebody help me?

user502052
  • 14,803
  • 30
  • 109
  • 188

2 Answers2

1

You could try something like what Amazon Web Services does: use a very long, randomly generated key with each request. Check that key is correct in your profiles app, and if yes, update the attribute.

David Sulc
  • 25,946
  • 3
  • 52
  • 54
  • Are you sure that Amazon uses this approach? I sound a little "hackerable"... Anyway, I must first communicate the key to the 'profiles' applicaiton and then compare them. All through 'NET:HTTP' GET request? Is it the right way? – user502052 Jan 11 '11 at 02:27
  • The way Amazon, Google, etc. do it is: they give you an API key, which is essentially a long string of random characters. The way it is used is like a password: the `profiles` application sends it to the `users` application (either on each request, or at the start of each session). On `profiles`, the API key will typically either be hard-coded or in a configuration file. `Users` will then check the API key is valid, matches your account, and is authorized to perform the action you're requesting. Don't forget to use SSL if you're sending sensitive info over untrusted networks. – David Sulc Jan 11 '11 at 02:39
  • In this case I do not need SSL, but for other I need that. However I have a lot of problems, allmost using ActiveResource Class (one of my problem: http://stackoverflow.com/questions/4653006/full-example-on-using-activeresource-with-a-certificate-authentication) – user502052 Jan 11 '11 at 02:44
0

Solution: Don't use simply Profile.create, use the association builders instead. Protect the user_id attribute and use user.profiles.create!(params[:profile]) to have it automatically set the user_id field for profiles to whatever the user object is.

Ryan Bigg
  • 106,965
  • 23
  • 235
  • 261
  • Using 'Profile.create!(:user_id => '34')' I get a "undefined method `create!' for Profile:Class" error. 'Profile.create(:user_id => '34')' works, but nothing to do with the ':user_id'! – user502052 Jan 11 '11 at 03:28
  • Maybe I am wrong with association builders... can you give me an example based on the data I have provided in question? – user502052 Jan 11 '11 at 05:39
  • My bad, it seems that `Profile` isn't an ActiveRecord class like I thought it was. – Ryan Bigg Jan 11 '11 at 21:04