stffn
commented
15 years ago I have no definitive opinion on this issue. It's a performance issue only with a large number of unauthorized accesses. Do we have any example of that? It's a security issue only if you still use the instance variables in case of permission denied. A simple workaround for the latter is to clear the instance variables in the permission denied method. It is definitely an issue to think about, but from the arguments on the table, I don't think we need to act here.
jjb
If a user doesn't have access to a resource, the instance variable is still populated, even though the resource is not then delivered to the user.
Only assigning the variables if the user does have access would be a win for performance and security, albeit probably only in obscure edge cases.
I realized some cases do require accessing the data in the db to actually determine the authorization -- what do you think of setting these variables back to nil as soon as it is discovered that the user does not have access?
I suppose there are probably people who still use the data for other purposes and still want it around, even in the views?
Just thinking out loud… let me know what you think. If you think it's a good idea to set them to nil, I'll be happy to put together a patch.
John