Forum: Ruby on Rails Securing the Model

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
gaspard (Guest)
on 2006-02-20 13:12
(Received via mailing list)
Hello,

I have a security schema for all kinds of items in my application
(pages, logs, links, ...). Basically it works as follows :
readable_by can be either 'a' (all) 'g' (group) or 'u' (owner). If it
is group then rgroup_id is set.
writable_by can be either 'a', 'g' or 'u'. If it is 'g' for 'group',
wgroup_id is set.

a user can read
	* all posts he created (independantly of the readable_by flag)
	* he has access to from the groups he is (rgroup_id in ...)
	* all public posts (readable_by all)

the same works for write access.

I want to be absolutely sure a bug in my controller can not override
my security schema. This is what I did, but I am not sure if there
could be a more elegant way to do this. I would love to override
'find', but it loops on it-self...

Any clues on this problem ? Is this way of implementing Security in
the Model correct ?

Thanks for your answers,

Gaspard

module ApplicationHelper
   class ActiveRecord::Base

      def self.sfind(session, *args)
          #... (change args depending on session parameters)
          #... the change looks like (my code has some error checking
not shown and handles the case where no user is logged in)
	args[1][:conditions][0] = args[1][:conditions][0].to_s + " AND
( readable_by = 'a' OR (readable_by = 'g' AND rgroup_id IN (#{session
[:user_groups]}))  OR user_id = '#{user_id}') "
          # ...
          self.find(*args)
      end

      def writable?(session)
          ... return true or false depending on session and attributes
      end

    end
end
This topic is locked and can not be replied to.