Montana Harkin

So when you’re upgrading your ghetto rails app that hasn’t been touched in a couple of years to the new hottness, make sure you check your filters.

Previously, in Rails < 2.0.1 if you returned false in a before filter, it would stop the processing of the action. In Rails >= 2.0.1, before_filters _must_ now redirect or render in order to halt the calling of the controller action.

This can be a large security issue if you are returning false in an authorize component. Make sure to update them to redirect or render a 403.

In our case, we also created a “errors” directory in our views directory to hold our 403.erb view which we now call where we used to return false only.

Previously:

return false

Now:

render ‘errors/403′, :status => 403 and return false

This entry was posted on Tuesday, September 8th, 2009 at 3:29 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.