So here's the general setup I have. I am currently signed in as second_user
. first_user
has made a single post with the title "Hello" and the body "This is a post!"
Now I'm going to visit "New Post" and make a post. Keep in mind that anything you have in the page markup is observable and editable by the end user. Let me open up devtools on this new page.
This hidden_field
is still put in the markup, it's just rendered with type="hidden"
so it's not displayed to the user. But just because it isn't displayed doesn't mean it isn't there, and the user can still very much tamper with it. Let me change the value="2"
to value="1"
.
Now I'll fill in the title and body with some information and submit.
So now I've created a post with the first_user
as the author while I'm signed into the second_user
. This absolutely should not happen. Imagine if any random Twitter user could tweet on the behalf of other users -- it'd be chaos. The site would be unusable.
You need to be checking the current_user
in the controller for things like this. When you use current_user
in the controller, that information is gotten through the user's session data, something that is much more difficult for the user to tamper with.
nice demonstration