Rails security help

marli03 · October 14, 2009, 4:42pm

Hey I was wondering if anyone knows of a gem or plugin that can limit
fields returned based on the User’s role? I’m looking for something
that will basically rewrite the find() method to limit the fields
returned based on the User role.

so,

Admin:
Product.all => returns id, number, description, cost fields

Guest:
Product.all => returns id, number, description fields

Thanks!

marli03 · October 15, 2009, 3:11am

Marli Ba wrote:

Hey I was wondering if anyone knows of a gem or plugin that can limit
fields returned based on the User’s role? I’m looking for something
that will basically rewrite the find() method to limit the fields
returned based on the User role.

so,

Admin:
Product.all => returns id, number, description, cost fields

Guest:
Product.all => returns id, number, description fields

Thanks!

We use something similar to filter objects in zena
(zena/lib/zena/acts/secure.rb at master · zena/zena · GitHub). Basically, you need two things:

the visitor pattern (stored in Thread.current)
scoped finders

I wrote an exemple of what you could use to filter fields:

gist.github.com

https://gist.github.com/anna-bucher/210544

gistfile1.rb

# real world example in zena: http://github.com/zena/zena/blob/master/lib/zena/acts/secure.rb

# in a module that you include where you need to find
def filter_fields(klass)
  scope = {}
  find_scope = scope[:find] = {}
  find_scope[:select] = klass.fields_for(Thread.current.visitor).map {|f| "#{klass.table_name}.#{f}"}.join(',')
  klass.send(:with_scope, scope) { yield }
end

This file has been truncated. show original

To store the visitor in the Thread, the simplest solution is:

unless Thread.current.respond_to?(:visitor)
class << Thread.current
attr_accessor :visitor
end
end
Thread.current.visitor = logged_in_user

Gaspard

marli03 · October 15, 2009, 4:51pm

Gaspard B. wrote:

We use something similar to filter objects in zena
(zena/lib/zena/acts/secure.rb at master · zena/zena · GitHub). Basically, you need two things:

the visitor pattern (stored in Thread.current)

scoped finders

I wrote an exemple of what you could use to filter fields:
gist:210544 · GitHub

To store the visitor in the Thread, the simplest solution is:

unless Thread.current.respond_to?(:visitor)
class << Thread.current
attr_accessor :visitor
end
end
Thread.current.visitor = logged_in_user

Gaspard

Thanks! I’ve been looking through the code and like what I see. I think
I may end up with my own unique implementation, but it’s helpful to see
how others have done things.

marli03 · October 22, 2009, 4:41pm

Gaspard, I noticed your program uses scopes to limit the returned
information. I’m running rails 2.3.4 and there seems to be an issue
with scopes and HABTM relationships: that they don’t carry through.

I’ve tried using named scopes in my Product class like this:

class Product < ActiveRecord::Base
has_and_belongs_to_many :categories
named_scope :with_fields_for_role, lambda {|role| {:select => code
to only select certain columns based on role } }
end

class Category < ActiveRecord::Base
has_and_belongs_to_many :products
end

Console:

Product.with_fields_for_role(:guest).first
=> <Product id: 1, number: “000-010”, manufacturer_id: 12,
manufacturer_number: “”, status: “Current”, description: “PURCHASE ORDER
FORMS:”, extended_information: nil>

Category.first.products.with_fields_for_role(:guest).first
=> ## returns all columns of the product

The first statement works perfectly and the second does not. There
already is a bug report about this.

Have you noticed any problems with your program with this issue?