Securing the Model


#1

Hello,

I have a security schema for all kinds of items in my application
(pages, logs, links, …). Basically it works as follows :
readable_by can be either ‘a’ (all) ‘g’ (group) or ‘u’ (owner). If it
is group then rgroup_id is set.
writable_by can be either ‘a’, ‘g’ or ‘u’. If it is ‘g’ for ‘group’,
wgroup_id is set.

a user can read
* all posts he created (independantly of the readable_by flag)
* he has access to from the groups he is (rgroup_id in …)
* all public posts (readable_by all)

the same works for write access.

I want to be absolutely sure a bug in my controller can not override
my security schema. This is what I did, but I am not sure if there
could be a more elegant way to do this. I would love to override
‘find’, but it loops on it-self…

Any clues on this problem ? Is this way of implementing Security in
the Model correct ?

Thanks for your answers,

Gaspard

module ApplicationHelper
class ActiveRecord::Base

  def self.sfind(session, *args)
      #... (change args depending on session parameters)
      #... the change looks like (my code has some error checking

not shown and handles the case where no user is logged in)
args[1][:conditions][0] = args[1][:conditions][0].to_s + " AND
( readable_by = ‘a’ OR (readable_by = ‘g’ AND rgroup_id IN (#{session
[:user_groups]})) OR user_id = ‘#{user_id}’) "
# …
self.find(*args)
end

  def writable?(session)
      ... return true or false depending on session and attributes
  end

end

end