Limiting records in a restful controller

I want to make my controller only show records for view, edit and
destroy that belong to their owner (the user who created it).
My question - My first guess would be to perhaps create a filter for
the “show” action. Thus presenting the user with only their own
records. Does this make sense ? And, is it possible for a hacker to
send a request like ‘7;edit’ (when 7 doesn’t belong to them). So,
perhaps I need to code all the actions for the right user ?

TIA
Stuart


On 9/20/06, Dark A. [email protected] wrote:


Update - I’m thinking that probably the best way to approach this is
via an option in the map.resources call in routes.rb. ? Maybe ?

Stuart

i use the meantime_filter plugin to scope the active records in question. It's like having a before and after filter in one method, so you can yield a block. In the example below the require_user method is called first and creates the @user object. Then the show action is called, but it is called within the attach_scope method which scopes the records so only those belonging to the user are shown.

class JobsController < ApplicationController
    before_filter :require_user
    meantime_filter :attach_scope

    def show
       @jobs.find(:all) # This will only retrieve the users jobs
    end

private
    def require_user
       @user = User.find(params[:user])
       if not @user or not @user.enabled; render :partial => "users/disabled"; return; end
    end

    def attach_scope
       Job.with_scope(:find => {:conditions => ["user_id = ?", @user.id]}) do
          yield
       end
    end
end


Dark A. wrote:
On 9/20/06, Dark A. <[email protected]> wrote:
  
I want to make my controller only show records for 
view, edit and
destroy that belong to their owner (the user who created it).
My question - My first guess would be to perhaps create a filter for
the "show" action.  Thus presenting the user with only their own
records.  Does this make sense ? And, is it possible for a hacker to
send a request like '7;edit' (when 7 doesn't belong to them). So,
perhaps I need to code all the actions for the right user ?

TIA
Stuart

</pre>
Update - I'm thinking that probably the best way 
to approach this is
via an option in the map.resources call in routes.rb.  ? Maybe ?

Stuart


--
 
A { color: blue; text-decoration: none; } A:hover { color: red; } #sig { font-family: verdana, tahoma; font-size: small; border-top: 2px solid #AAAABB; padding: 4px; color: black; }
#info {
	padding: 4px;
	font-family: verdana, tahoma;
	font-size: 8pt;
	color: black;
}
Jeremy W.
Serval Systems Ltd.

www.servalsystems.co.uk
Tel: 01342 331940
Fax: 01342 331950

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

On 9/20/06, Jeremy W. [email protected] wrote:

 meantime_filter :attach_scope
 end

 def attach_scope
    Job.with_scope(:find => {:conditions => ["user_id = ?", @user.id]})

do
yield
end
end
end

This seems to be a nice solution. I received a few errors and sort of
bailed on it for the time being, ONLY because I already have a number
of before_filters in the controller. I thought if I could combine the
user.id into them it might work.

This is my before filter -

protected
def find_cdetail
begin
@cdetail = Cdetail.find(params[:id])
rescue
flash.now[:warning] = ‘Error, Invalid ID’
logger.error(“RescueAttemptToFindInvalidID#{params[:id]}”)
end
end

and I tried doing something like this:
protected
def find_cdetail
id = params[:id]
user = current_user.id
begin
@cdetail = Cdetail.find(:all, :conditions =>[“id = :id and
user_id = :user”,
{:id => id, :user => user => user_id}])

end

However it doesn’t seem to be work as expected.
Stuart

On 2006-09-20, at 12:04 , Dark A. wrote:

I want to make my controller only show records for view, edit and
destroy that belong to their owner (the user who created it).
My question - My first guess would be to perhaps create a filter for
the “show” action. Thus presenting the user with only their own
records. Does this make sense ? And, is it possible for a hacker to
send a request like ‘7;edit’ (when 7 doesn’t belong to them). So,
perhaps I need to code all the actions for the right user ?

Always work from the user:

@application.rb

def current_user
User.find(session[:user_id])
end

@record_controller

def edit
current_user.records.find(params[:id])
end

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs