What are the security issues of using User.current_user
Question
This post - http://www.ruby-forum.com/topic/51782 - seems to suggest a way of setting User.current_user in a before_filter in a controller and accessing User.current_user in models affected by that action. Is this perfectly thread-safe or are there security issues here? Seems like the correct approach would be to always pass in @current_user into any model that needs it, but that gets messy.
2 answers
solution1
5 2010-10-10 21:49:51
That solution is not thread safe and when processing two requests (A and B), the later one will change the earlier one's current user mid request (which would be almost impossible to debug and extremely confusing to the user).
Store the user (or the user id) in the current thread's storage.
class User < ActiveRecord::Base
class << self
def current_user
Thread.current[:current_user]
end
def current_user=(user)
Thread.current[:current_user] = user
end
end
end
before_filter :set_current_user
private
def set_current_user
User.current_user = User.find(session[:user_id])
end
solution2
2 2010-10-10 21:37:13
Using a global before_filter in your ApplicationController should be thread-safe (if you are using thread local storage). This is from the excellent declarative_authorization gem's documentation :
If you'd like to use model security, add a before_filter that sets the user globally to your ApplicationController. This is thread-safe.
before_filter :set_current_user protected def set_current_user Authorization.current_user = current_user end
Update:
The actual implementation of Authorization.current_user looks like this . It uses thread-local storage, which is what makes it thread-safe.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.