#21 new

AASM, Stateful, any user can delete any other?

Reported by Sander | October 7th, 2008 @ 06:23 PM

Hi Guys,

Creating the user and sessions with stateful or aasm generates a potentially unsafe default configuration. It allows any user that can login to destroy any other user by using the :purge route. You need to be a bit creative with curl, but I've just managed to do so in my own setup.

In the User model it is mentioned that there is no page for update and delete, but with stateful and aasm there is. That might not be noticed by a regular developer. I wonder if any sites are affected.

The obvious solution is to not include the purge route, but that does not solve the problem completely. The absence of an admin user and a check for it also exposes the suspend, unsuspend and delete actions.

Kind regards,


Comments and changes to this ticket

  • mrflip

    mrflip October 9th, 2008 @ 06:57 AM

    • Tag changed from aasm, acts_as_state_machine, bug, routing, security, stateful to aasm, acts_as_state_machine, bug, routing, security, stateful

    You are right. At the very least we should add a comment instructing the user to access-control protect those routes. (The rest-auth plugin is mostly authorization scheme agnostic apart from providing the 'access denied' access control hook)

    I can certainly add a comment with some exclamation points and capital letters as soon as I make time to do some gardening, or we will happily apply a patch.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Restful Authentication Generator

This widely-used plugin provides a foundation for securely managing user
* Login / logout
* Secure password handling
* Account activation by validating email
* Account approval / disabling by admin
* Rudimentary hooks for authorization and access control.


People watching this ticket