I recently ran across an instance where I needed to pass a relatively simple OpenStruct from a view back to the controller via a GET. It was a strange situation where I needed the OpenStruct to populate some tables in the view, but upon a user submit, needed to use that same OpenStruct back in a controller action.
I found a bad way to do it.
Let’s say your open struct is called @my_struct. From the view, a way to pass that struct to a controller action could be as follows:
<%= link_to "Passing an Open Struct!", my_controller_url(:my_struct=> Marshal.dump(@my_struct)) %>
This will create a link with the text “Passing an Open Struct!” that will send your open struct back to a specified controller action (assume a route has been set up for my_controller). Only thing is, @my_struct has been converted to a byte stream via Marshal.dump. So in the controller action, you’ll need to convert it back to the original OpenStruct. Do do that, see below:
def some_action do @my_struct = Marshal.load(params[:my_struct]) #now you can do stuff with the original @my_struct end
This technique would work for any class object.
So, what’s the problem with this??
UNFORTUNATELY, it opens up a huge security hole that could allow a user to pass any object over to the server side controller. VERY BAD. Well, I live an learn each day. What at first appear to be a good solution to a problem, may ultimately be hugely flawed.