This project is archived and is in readonly mode.

#2551 ✓stale
Rene Perrier

ActionController::Base.hide_action not working as expected when template exists

Reported by Rene Perrier | April 23rd, 2009 @ 06:32 PM | in 3.x

I found out that when an action has a template associated to it, using hide_action for this action will prevent the code in the action_controller to be called, but it will still display the template.

I was expecting something like "no action responded to <action_name>" instead

To reproduce, use test application attached.

I think this could be a security issues as developers could be lead into a false sense of security by using "hide_action" and still having a template for it that will be rendered if a user call the action from its browser.

I am using rails 2.0.4

Comments and changes to this ticket

  • Heiko Webers

    Heiko Webers April 24th, 2009 @ 09:15 AM

    This even works when you move the action to the private or protected part of the controller. Works in Rails 2.2.2 and 2.3.2 as well.

  • Rene Perrier

    Rene Perrier April 24th, 2009 @ 05:27 PM

    I found http://lists.rubyonrails.org/pip... on the rails mailing list about this issue.

    I shows that it is a known issue, but the issue is: if an action is hidden using the hide_action method AND a template with the corresponding name exists, why should the template be rendered?

  • Jeremy Kemper

    Jeremy Kemper May 4th, 2010 @ 06:48 PM

    • Milestone changed from 2.x to 3.x
  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 05:03 PM

    • State changed from “new” to “open”
    • Importance changed from “” to “”

    This issue has been automatically marked as stale because it has not been commented on for at least three months.

    The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

    Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 05:03 PM

    • State changed from “open” to “stale”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Attachments

Pages