Locking out users from certain records/urls

robbie · February 1, 2006, 11:42pm

I am using the standard login controller that ships with RoR to
authenticate users in my application. In my app, Users belong to
Clients, Clients have Projects that users are assigned to (stored in a
stakeholder table with user_id and project_id columns) , then each
project has a bunch of folders and assets (file uploads).

So currently I have urls that look like /project/show/12 etc. I want to
stop users from typing in something like /project/show/24 and viewing
projects and folders that they are not assigned to…whats the best way
to go about this, given that a user might be assigned to projects with
:id 12, 14, 27 etc, but perhaps not 24

(pls bear in mind I’m still a relative beginner with RoR, so verbose
answers welcome

thanks

robbie · February 1, 2006, 11:52pm

Something like

if !StakeHolder.find_by_user_id_and_project_id(session[:user_id],
params[:project_id])

Not yours, redirect or something.

end

in the project controller list method might work, but I am as new as
you!!!

Ian

On 2/1/06, robbie shepherd [email protected] wrote:

:id 12, 14, 27 etc, but perhaps not 24
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

–
"Her faults were those of her race and sex; her virtues were her own.
Farewell, and if for ever - "

– “Travels with a Donkey in the Cevennes” by Robert Louis Stevenson

robbie · February 1, 2006, 11:57pm

thanks Ian, I’ll give that a whirl…

robbie · February 2, 2006, 6:13pm

You could create User of different roles and check whether a user can
look
at a particular record.

For example you can

User class and Admin (which inherits User) Class. Both have permission
classes.

When loggin in instantiate according user role ( User or Admin using
inheritance column)

In ur permission class for User

def check_user_have_access? (project)
return project.user.id == user.id
end

In ur Admin permission class
def check_user_have_access? (project)
return true
end

This way Admin will be able to see all projects and Users can see
projects
only they own.

–
Rgds,
–Siva J.
http://www.varcasa.com/
My First Rails Project.
Education Through Collabration

robbie · February 2, 2006, 6:58pm

This is the ‘authorized user/unauthorized access’ problem. In many
systems
you have user that are authorized to use the system, but not authorized
to
see other users data. It can be a real challenge.

In my opinion you are asking for trouble if you rely on UI/controller
code
to check this for you. I think this is the equivalent of putting access
checking into an editor to make sure that non-privileged users can’t
edit
‘/etc/passwd’.
Sooner or later you or someone that follows you will miss something and
someone will peek at someone else’s stuff. If the stuff is sensitive you
may
have a real problem. If it is a commercial site you may loose all your
customers.

Instead you want to push this down below the UI. Sure you put checks in
the
UI - but if you miss one, you want something below to throw an
exception.

Move that logic into your models. Make your models user aware, then
override
methods that you want to protect and add the user access checking there.

This is a little more work initially, but you will sleep better in the
long
run.

-Kelly