Rails security help

Hey I was wondering if anyone knows of a gem or plugin that can limit
fields returned based on the User’s role? I’m looking for something
that will basically rewrite the find() method to limit the fields
returned based on the User role.

so,

Admin:
Product.all => returns id, number, description, cost fields

Guest:
Product.all => returns id, number, description fields

Thanks!

Marli Ba wrote:

Hey I was wondering if anyone knows of a gem or plugin that can limit
fields returned based on the User’s role? I’m looking for something
that will basically rewrite the find() method to limit the fields
returned based on the User role.

so,

Admin:
Product.all => returns id, number, description, cost fields

Guest:
Product.all => returns id, number, description fields

Thanks!

We use something similar to filter objects in zena
(http://bit.ly/2yjaVk). Basically, you need two things:

  1. the visitor pattern (stored in Thread.current)
  2. scoped finders

I wrote an exemple of what you could use to filter fields:
http://gist.github.com/210544

To store the visitor in the Thread, the simplest solution is:

unless Thread.current.respond_to?(:visitor)
class << Thread.current
attr_accessor :visitor
end
end
Thread.current.visitor = logged_in_user

Gaspard

Gaspard B. wrote:

We use something similar to filter objects in zena
(http://bit.ly/2yjaVk). Basically, you need two things:

  1. the visitor pattern (stored in Thread.current)
  2. scoped finders

I wrote an exemple of what you could use to filter fields:
http://gist.github.com/210544

To store the visitor in the Thread, the simplest solution is:

unless Thread.current.respond_to?(:visitor)
class << Thread.current
attr_accessor :visitor
end
end
Thread.current.visitor = logged_in_user

Gaspard

Thanks! I’ve been looking through the code and like what I see. I think
I may end up with my own unique implementation, but it’s helpful to see
how others have done things.

Gaspard, I noticed your program uses scopes to limit the returned
information. I’m running rails 2.3.4 and there seems to be an issue
with scopes and HABTM relationships: that they don’t carry through.

I’ve tried using named scopes in my Product class like this:

class Product < ActiveRecord::Base
has_and_belongs_to_many :categories
named_scope :with_fields_for_role, lambda {|role| {:select => code
to only select certain columns based on role
} }
end

class Category < ActiveRecord::Base
has_and_belongs_to_many :products
end

Console:

Product.with_fields_for_role(:guest).first
=> <Product id: 1, number: “000-010”, manufacturer_id: 12,
manufacturer_number: “”, status: “Current”, description: “PURCHASE ORDER
FORMS:”, extended_information: nil>

Category.first.products.with_fields_for_role(:guest).first
=> ## returns all columns of the product

The first statement works perfectly and the second does not. There
already is a bug report about this.

Have you noticed any problems with your program with this issue?

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs