In chapter 10, page 138, the author is talking about the threat of the Internet and the fact that ‘we also want to prevent access to other people’s carts’. He proposes removing :cart_id from line_items_controller.rb; however this does not prevent me to see other customers’ carts. I can still easily browse ‘http://localhost:3000/carts/2’ for example, where I am the owner of cart with ID 1.
In order to fix the problem, I changed carts_controller.rb to below:
class CartsController < ApplicationController include CurrentCart before_action :set_cart, only: [:show, :edit, :update, :destroy] rescue_from ActiveRecord::RecordNotFound, with: :invalid_cart
And commented the local set_cart method in carts_controller.rb:
private # Use callbacks to share common setup or constraints between actions. # def set_cart # @cart = Cart.find(params[:id]) # end
This way, no matter what cart_id you enter as GET parameters, you’d always get your own cart_id which is written in your session variable and you cannot ask to see another cart_id. (‘include CurrentCart’ is including the CurrentCart concern that the book talks about in earlier chapters).
Was wondering if anyone else agrees with me that the solution that the author proposes to prevent browsing others’ carts is not really working and if you agree with my workaround.