Slight security flaw in Turbo Stream broadcasts
I believe the way turbo stream is implemented by default creates a slight security flaw in that other users (on different accounts) can see the broadcasts related to a distinct account. This is because the default ActionCable subscription is to just the model so the signed channel is the same for all users when looking at the index page of a project.
You can fix this by adding the current account to the broadcasts.eg
You can fix this by adding the current account to the broadcasts.eg
after_create_commit -> { broadcast_prepend_later_to [account, :projects], partial: "projects/index", locals: {project: self} }
after_update_commit -> { broadcast_replace_later_to [account, self] }
after_destroy_commit -> { broadcast_remove_to [account, :projects], target: dom_id(self, :index) }
and then to the turbo_stream tag in the view:
<%= turbo_stream_from [current_account, @project] %>
I discovered this when reading this section of a pretty interesting hotrails guide: https://www.hotrails.dev/turbo-rails/turbo-streams-security
after_update_commit -> { broadcast_replace_later_to [account, self] }
after_destroy_commit -> { broadcast_remove_to [account, :projects], target: dom_id(self, :index) }
and then to the turbo_stream tag in the view:
<%= turbo_stream_from [current_account, @project] %>
I discovered this when reading this section of a pretty interesting hotrails guide: https://www.hotrails.dev/turbo-rails/turbo-streams-security
Notifications
You’re not receiving notifications from this thread.