is this too much information for end-user? #2246
Comments
|
Perhaps. In which circumstance do you see that error? I would think you should not see it if you use the provided interface, and it would only appear if you forged a request. |
|
Yes out of the provided interface. |
|
This issue may actually have merit. The question is: would this reveal information useful to an attacker? For example, by doing this an attacker would be able to see details about what attributes are available for models. That would not be so good. Perhaps we should give less information? |
|
we might need think about I18n for message later how about this? case resource
when String, Symbol
super("Not allowed to perform #{action.inspect} on #{resource.inspect}")
when Module
super("Not allowed to perform #{action.inspect} on #{resource.name}")
else
super(
"Not allowed to perform #{action.inspect} on the given " +
resource.class.name
)
end |
|
Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
administrate/lib/administrate/not_authorized_error.rb
Line 9 in f10b556
The text was updated successfully, but these errors were encountered: