Hello,
I have a security schema for all kinds of items in my application
(pages, logs, links, …). Basically it works as follows :
readable_by can be either ‘a’ (all) ‘g’ (group) or ‘u’ (owner). If it
is group then rgroup_id is set.
writable_by can be either ‘a’, ‘g’ or ‘u’. If it is ‘g’ for ‘group’,
wgroup_id is set.
a user can read
* all posts he created (independantly of the readable_by flag)
* he has access to from the groups he is (rgroup_id in …)
* all public posts (readable_by all)
the same works for write access.
I want to be absolutely sure a bug in my controller can not override
my security schema. This is what I did, but I am not sure if there
could be a more elegant way to do this. I would love to override
‘find’, but it loops on it-self…
Any clues on this problem ? Is this way of implementing Security in
the Model correct ?
Thanks for your answers,
Gaspard
module ApplicationHelper
class ActiveRecord::Base
def self.sfind(session, *args)
#... (change args depending on session parameters)
#... the change looks like (my code has some error checking
not shown and handles the case where no user is logged in)
args[1][:conditions][0] = args[1][:conditions][0].to_s + " AND
( readable_by = ‘a’ OR (readable_by = ‘g’ AND rgroup_id IN (#{session
[:user_groups]})) OR user_id = ‘#{user_id}’) "
# …
self.find(*args)
end
def writable?(session)
... return true or false depending on session and attributes
end
end
end