Comments on: Part 4 – Flex Cairngorm/WebORB Issue Tracker Tutorial – Invoking ActiveRecord Methods Directly From Flex http://flexonrails.net/?p=54 - Tue, 22 Dec 2009 16:08:15 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Prem http://flexonrails.net/?p=54&cpage=1#comment-80821 Prem Tue, 13 Jan 2009 19:35:46 +0000 http://flexonrails.net/?p=54#comment-80821 I really like this project and I downloaded the code and looking thorough it . I cant seem to find the UserService in any of the code. Also it would be useful to have a SQL Script to create the db if thats available. Thanks much again Prem I really like this project and I downloaded the code and looking thorough it . I cant seem to find the UserService in any of the code. Also it would be useful to have a SQL Script to create the db if thats available.

Thanks much again
Prem

]]> By: Nerdmaster http://flexonrails.net/?p=54&cpage=1#comment-25537 Nerdmaster Sat, 09 Jun 2007 01:01:05 +0000 http://flexonrails.net/?p=54#comment-25537 I think this is a great concept, but I have to agree with Tyler. You'd have to be very careful to only open some of the methods, and be amazingly restrictive about what you returned. Once you have access to an object, you can access almost anything related to that object. Imagine calling service.find_by_username_and_password('valid_user', 'valid_password').class.find(:all) to get a full list of users and passwords. Additionally, even if you only expose certain methods (find_by_username_and_password), if the user is able to see your internal data structure, they might now know that your DB has a field "is_superuser" and knows better how to attack you via other methods. I imagine WebORB has a lot of security options, but my problem would be forgetting to secure that one, seemingly-harmless method that turns out to give a hacker exactly what he needs to totally trash my app's data. I think this is a great concept, but I have to agree with Tyler. You’d have to be very careful to only open some of the methods, and be amazingly restrictive about what you returned. Once you have access to an object, you can access almost anything related to that object. Imagine calling service.find_by_username_and_password(’valid_user’, ‘valid_password’).class.find(:all) to get a full list of users and passwords.

Additionally, even if you only expose certain methods (find_by_username_and_password), if the user is able to see your internal data structure, they might now know that your DB has a field “is_superuser” and knows better how to attack you via other methods.

I imagine WebORB has a lot of security options, but my problem would be forgetting to secure that one, seemingly-harmless method that turns out to give a hacker exactly what he needs to totally trash my app’s data.

]]> By: Tyler Larson http://flexonrails.net/?p=54&cpage=1#comment-12648 Tyler Larson Tue, 10 Apr 2007 01:24:29 +0000 http://flexonrails.net/?p=54#comment-12648 This seems like a bad idea to open access to classes on the back end. What happens when the person decompiles the file and then writes something that calls service.find_by_username(username).delete() or some other function they shouldn't. Maybe we can set up something to prevent these things on the server but it seems like this might open up big holes in security. If there is an answer I might convert tomorrow but this could be very bad. This seems like a bad idea to open access to classes on the back end. What happens when the person decompiles the file and then writes something that calls service.find_by_username(username).delete() or some other function they shouldn’t. Maybe we can set up something to prevent these things on the server but it seems like this might open up big holes in security. If there is an answer I might convert tomorrow but this could be very bad.

]]> By: Derek Wischusen http://flexonrails.net/?p=54&cpage=1#comment-2261 Derek Wischusen Mon, 15 Jan 2007 00:40:53 +0000 http://flexonrails.net/?p=54#comment-2261 Right you are. Thank you for spotting the error. Right you are. Thank you for spotting the error.

]]> By: maxkar http://flexonrails.net/?p=54&cpage=1#comment-2259 maxkar Mon, 15 Jan 2007 00:31:50 +0000 http://flexonrails.net/?p=54#comment-2259 2. Open up the remote-services.xml file (located in C:\rails\rails_issue_tracker2\config\WEB-INF\flex) and map the RemoteObject directly to an ActiveRecord class. This is the mapping for the userService RemoteObject: Correction to file name: remote-services.xml = remoting-config.xml 2. Open up the remote-services.xml file (located in C:\rails\rails_issue_tracker2\config\WEB-INF\flex) and map the RemoteObject directly to an ActiveRecord class. This is the mapping for the userService RemoteObject:

Correction to file name:
remote-services.xml = remoting-config.xml

]]>