hey, i have maded some security in my website based on
http://www.chaconforcongress.com/accounts/login
Here they work with users, roles and persmission, and they check it like
this,
user.has_permission(permission).
I have extended this to: users and groups with roles and permissions.
With permissions like “view records”,“edit records”,“delete records”,…
def has_permission(permission)
@permissions = Hash.new(false)
for group in self.groups
for role in group.roles
for perm in role.permissions
if perm.name == permission
return true
end
end
end
end
false
end
All this works good. But all this security is based on the type of role
the user
has (what actions the user may do)
But now i want also security on “what” the user may see.
i have in my database ex. clients ids => 1 , 2, 3, 4 and 5
User 1 may only see id 1, 2 and 3
User 2 may only see id 2, 4 and 5
User 3 may only see id 3 and 5
…etc
anyone has a idea who to do this???
in this example there are 5 ids, but that can be easily 1000+
Thanks in advance
Nick
you many want to implement this via associations
setup a join table clients_users and a habtm relationship between
clients
and users.
then only allow user X to view their associated clients.
(untested)
class ClientController < ApplicationController
def list
# only list current user’s clients
@clients = @session[:user].clients
end
def show
try
# limit find to only those clients that are associated with
current
user
# will raise a RecordNotFound exception if not found
@client = @session[:user].clients.find(params[:id])
rescue RecordNotFound
flash[:error] = “you don’t have access to view that client”
render :action => :list
end
end
end
hey,
thanks for that, i was also thinking of that.
But if u have this situation:
Database has 1000 clients
User X may watch 1 to 500
Then u have 500 records in clients_users
Wont that affect the performence of my site ??
If anyone has any other suggestions, also welcome…
Thx
Nick
depends on your queries, however querying for 500 records shouldn’t be a
big
performance hit, you can always populate some data and see how long the
queries are taking to execute.
On 12/20/05, Brutyn N. [email protected] wrote:
http://lists.rubyonrails.org/mailman/listinfo/rails
–
Steven R.
web application & interface developer
http://www.zerium.com
[phone] 404-488-4364
same thing, different way
class ClientController < ApplicationController
def list
# only list current user’s clients
@clients = @session[:user].clients
end
def show
try
# load the client
@client = Client.find(@params[:id])
# check if user is associated with the client
if @client.users.include?(@session[:user])
# user is associated
else
# user is not associated
flash[:notice] = "user not associated with this client"
redirect_to :action => :list
end
rescue RecordNotFound
flash[:error] = "Cannot find client!!!"
redirect_to :action => :list
end
end
end
hey,
i’m trying to implement this stuff.
user x can acces client 1, client 2, client 4
i want this on my site, 2 list, one with the available clients, and the
other
with the clients the user can access
(i know this i more javascript, but does anyone has a great script for
this, i
found one but it isnt that good, some bugs i can find)
Select the clients that the user may access.
Available clients Selected clients
client 3 >> client 1
client 5 client 2
client 6 << client 4
client 7
Hey,
i want to extend this security stuff
this is the situation:
User x can access all user or several user (ex user1, user 2, user 3)
In the client tab, u can search on clients and the query result is
display under
the search with pagination.
Now u can have 2 things:
-user may access all clients, displays all clients, search on name
brutyn, and
display the clients (normal situation)
-user may access user1, 2 and 3, displays those clients, search on
user1, and
now need to display user1 ( i need help for this => several clients +
search +
pagination)
this is in my controller
def list
#setting the charset to utf8 for displaying the wierd characters on the
page
output_to_html
#getting the firm id from the session
user = User.find(@session[:user].id)
@firm_id = @session[:user].firm_id
#checking if there is a post
if @request.post?
@name = params[:client][:name].blank? ? ‘’ : params[:client][:name]
@address1 = params[:client][:address1].blank? ? ‘’
:params[:client][:address1]
@zip = params[:client][:zip].blank? ? ‘’ : params[:client][:zip]
@city = params[:client][:city].blank? ? ‘’ : params[:client][:city]
@country = params[:client][:country].blank? ? ‘’ :
:params[:client][:country]
end
#getting the clients records depending on the given paramaters and
paginate it
@client_pages, @clients = paginate :client, :conditions => [‘firm_id = ?
and
name like ? and address1 like ? and zip like ? and city like ? and
country like
? and deleted like ?’, @firm_id, “%#{@name}%”, “%#{@address1}%”,
“%#{@zip}%”,
“%#{@city}%”, “%#{@country}%”,0] , :order_by => “name ASC”, :per_page =>
10
if user.has_permission(‘admin’) || user.view_all == 1
else
# only list current user’s clients
for client in user.clients
…check if user may be access, and is in the searched items
end
end
end