Forum: Ruby on Rails how to do security??

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Brutyn N. (Guest)
on 2005-12-19 18:51
(Received via mailing list)
hey, i have maded some security in my website based on
http://www.chaconforcongress.com/accounts/login

Here they work with users, roles and persmission, and they check it like
this,
user.has_permission(permission).

I have extended this to: users and groups with roles and permissions.
With permissions like "view records","edit records","delete records",...

def has_permission(permission)
	@permissions = Hash.new(false)
	for group in self.groups
		for role in group.roles
			for perm in role.permissions
				if perm.name == permission
					return true
				end
			end
		end
	end
	false
end

All this works good. But all this security is based on the type of role
the user
has (what actions the user may do)

But now i want also security on "what" the user may see.

i have in my database ex. clients ids => 1 , 2, 3, 4 and 5
User 1 may only see id 1, 2 and 3
User 2 may only see id 2, 4 and 5
User 3 may only see id 3 and 5
....etc

anyone has a idea who to do this???
in this example there are 5 ids, but that can be easily 1000+

Thanks in advance
Nick
Chris H. (Guest)
on 2005-12-19 19:18
(Received via mailing list)
you many want to implement this via associations

setup a join table clients_users and a habtm relationship between
clients
and users.

then only allow user X to view their associated clients.

(untested)

class ClientController < ApplicationController
  def list
    # only list current user's clients
    @clients = @session[:user].clients
  end

  def show
    try
      # limit find to only those clients that are associated with
current
user
      # will raise a RecordNotFound exception if not found
      @client = @session[:user].clients.find(params[:id])
    rescue RecordNotFound
      flash[:error] = "you don't have access to view that client"
      render :action => :list
    end
  end
end
Brutyn N. (Guest)
on 2005-12-20 15:57
(Received via mailing list)
hey,

thanks for that, i was also thinking of that.

But if u have this situation:

Database has 1000 clients
User X may watch 1 to 500
Then u have 500 records in clients_users

Wont that affect the performence of my site ??

If anyone has any other suggestions, also welcome...

Thx
Nick
Steven R. (Guest)
on 2005-12-20 16:33
(Received via mailing list)
depends on your queries, however querying for 500 records shouldn't be a
big
performance hit, you can always populate some data and see how long the
queries are taking to execute.

On 12/20/05, Brutyn N. <removed_email_address@domain.invalid> wrote:
>
> http://lists.rubyonrails.org/mailman/listinfo/rails
>



--
Steven R.
web application & interface developer
http://www.zerium.com
[phone] 404-488-4364
Chris H. (Guest)
on 2005-12-20 18:40
(Received via mailing list)
same thing, different way

class ClientController < ApplicationController
  def list
    # only list current user's clients
    @clients = @session[:user].clients
  end

  def show
    try
      # load the client
      @client = Client.find(@params[:id])

      # check if user is associated with the client
      if @client.users.include?(@session[:user])
        # user is associated
      else
        # user is not associated
        flash[:notice] = "user not associated with this client"
        redirect_to :action => :list
      end
     rescue RecordNotFound
      flash[:error] = "Cannot find client!!!"
      redirect_to :action => :list
    end
  end
end
Brutyn N. (Guest)
on 2005-12-21 13:18
(Received via mailing list)
hey,

i'm trying to implement this stuff.

user x can acces client 1, client 2, client 4

i want this on my site, 2 list, one with the available clients, and the
other
with the clients the user can access
(i know this i more javascript, but does anyone has a great script for
this, i
found one but it isnt that good, some bugs i can find)

Select the clients that the user may access.
Available clients               Selected clients
client 3                >>      client 1
client 5                        client 2
client 6                <<      client 4
client 7
Brutyn N. (Guest)
on 2005-12-22 15:41
(Received via mailing list)
Hey,

i want to extend this security stuff

this is the situation:
User x can access all user or several user (ex user1, user 2, user 3)
In the client tab, u can search on clients and the query result is
display under
the search with pagination.

Now u can have 2 things:
-user may access all clients, displays all clients, search on name
brutyn, and
display the clients (normal situation)
-user may access user1, 2 and 3, displays those clients, search on
user1, and
now need to display user1 ( i need help for this => several clients +
search +
pagination)

this is in my controller

def list
#setting the charset to utf8 for displaying the wierd characters on the
page
output_to_html
#getting the firm id from the session
user = User.find(@session[:user].id)
@firm_id = @session[:user].firm_id
#checking if there is a post
if @request.post?
	@name = params[:client][:name].blank? ? '' : params[:client][:name]
	@address1 = params[:client][:address1].blank? ? ''
                       :params[:client][:address1]
	@zip = params[:client][:zip].blank? ? '' : params[:client][:zip]
	@city = params[:client][:city].blank? ? '' : params[:client][:city]
	@country = params[:client][:country].blank? ? '' :
                    :params[:client][:country]
end

#getting the clients records depending on the given paramaters and
paginate it
@client_pages, @clients = paginate :client, :conditions => ['firm_id = ?
and
name like ? and address1 like ? and zip like ? and city like ? and
country like
? and deleted like ?', @firm_id, "%#{@name}%", "%#{@address1}%",
"%#{@zip}%",
"%#{@city}%", "%#{@country}%",0] , :order_by => "name ASC", :per_page =>
10

if user.has_permission('admin') || user.view_all == 1
else
	# only list current user's clients
	for client in user.clients
		.....check if user may be access, and is in the searched items
	end
end

end
This topic is locked and can not be replied to.