How to securely register non-routing clicks on page via AJAX/update action?

55 views Asked by At

I want to register various clicks on a webpage, e.g. toggle visibility of elements.

The clicks come from users not logged in.

I have an Impression model with an actions attribute that stores key-value pairs of actions made on a certain page.

On a click event I'm updating a record with this function:

function sendAjax(id, data) {
    $.ajax({
      type: "PATCH",
      url: '/impressions/update',
      data: {'impression_id' : id, 'actions' : data},
      success: function(events){
      }
   });  
}

But I'm realizing that this is not secure at all, the user could theoretically update whatever record she wants.

How could I do this more securely, can I take advantage of Rails' protect_from_forgery in any way with my use case?

2

There are 2 answers

0
Billy Chan On BEST ANSWER

I don't think this is a necessary feature. Maybe you think too much :)

Even in Google Analytic you can't stop a visitor from manipulating his action, theoretically. One can push any events he want just in console.

Also it's not necessary for analytic tool to be 100% secure and precise. There must be noises, you can ease them but can't really avoid them, or avoid them in a reasonable cost.

2
xdazz On

You just need to find the Impression from impressions belongs to the current_user.

Example:

def update
  @impression = current_user.impressions.find(params[:impression_id])
  # ...
end