Before Filters

Rails
1

Hi all,
I am having a slight problem with a before filter. I have a page
that calls a before filter to create a set of methods to call my
report generator based on if the person has permissions to the
report. In development it seems to work fine, but in production I
Only have access to one of the reports, It tells me that no action
responded to the particular method being called. Being that I can
get to the fist report, I know that it is working but failing on the
second time through the loop.

code in the controller looks like this;

########################################################################################
before_filter :create_report_methods

def create_report_methods
Report.find_all.each do |r|
HomeController.send :define_method, “report_#{r.id}” do
redirect_to(“http://onetruth:8080/birt/frameset?
__report=#{r.name}.rptdesign”)
end unless ReportMembership.find(:first,:conditions =>
[“report_id = ? and memberable_type = ‘TeamMember’ and memberable_id
= ?”, r.id, TeamMember.get_team_member.id]).nil? and
ReportMembership.find_by_sql([“select * from report_memberships as rm,
team_members as tm, departments as d, department_memberships as dm
where rm.memberable_type =‘Department’ and rm.memberable_id = d.id and
d.id = dm.department_id and dm.team_member_id = tm.id and tm.id = ?
and report_id = ?”,TeamMember.get_team_member.id, r.id]).first.nil?
end
end

###########################################################################################
It works as expected in development, so my question is could another
user be going to the site through mongrel and changing the methods I
have? Any help is appreciated with this issue of mine. (I will post
the log entries once I find them, I am working in production on a
test system)

White W.

2

On 22 Jan 2008, at 14:00, White W. wrote:

__report=#{r.name}.rptdesign")

yuck.

###########################################################################################
It works as expected in development, so my question is could another
user be going to the site through mongrel and changing the methods I
have? Any help is appreciated with this issue of mine. (I will post
the log entries once I find them, I am working in production on a
test system)

Quite possible. Another difference between development and production
is that in development the classes are reloaded on each request.
I have to wonder why you need a convoluted design like this, rather
than have a single report action that generates the right thing base
on the id parameter.

Fred

3

The thought behind this is for security reasons, if the user has a
report method that parameters are passed to, a person could easily get
a hold of reports that he should not be able to see. If I query the
database, like I am doing here, I still run the risk of someone
getting to the report. If I use everything behind the scenes like I
currently am and define a method to called each report based on if
you have permissions on that report it seems a little more secure than
passing a number to a report function. I also don’t have to error
check to see if the id is an integer and all the other fun stuff that
goes along with that.

Anyways my boss liked it better this way. Also I noticed that I have
permissions on all reports and I can only get to the first report, not
the others that I have permission to. There is one other person that
has permission has the same as I do. This is perplexing me a little
bit.

White W.

4

BTW I do know that I need to refactor this code to prevent some CS
attacks by taking and moving the finds into the models… .

WW

On Jan 22, 12:50 pm, White W. [email protected]

5

On 22 Jan 2008, at 17:50, White W. wrote:

goes along with that.

You’re adding no security, but you are adding rather a lot of
complexity (and of course once you’ve added the methods for one user
they’ll be there for every user. Of course you won’t notice that in
development because classes are reloaded, so that a hole waiting to
bite you)

If user has_many :reports (via some join model that models who has
been give access to what) then it’s as easy as

report = @logged_in_user.find(params[:id])
if report
report.run
else
#oops, you don’t have access to that report
end

Fred

Anyways my boss liked it better this way. Also I noticed that I have
permissions on all reports and I can only get to the first report, not
the others that I have permission to. There is one other person that
has permission has the same as I do. This is perplexing me a little
bit.