How to do security?

Brutyn_N · December 19, 2005, 5:51pm

hey, i have maded some security in my website based on
http://www.chaconforcongress.com/accounts/login

Here they work with users, roles and persmission, and they check it like
this,
user.has_permission(permission).

I have extended this to: users and groups with roles and permissions.
With permissions like “view records”,“edit records”,“delete records”,…

def has_permission(permission)
@permissions = Hash.new(false)
for group in self.groups
for role in group.roles
for perm in role.permissions
if perm.name == permission
return true
end
end
end
end
false
end

All this works good. But all this security is based on the type of role
the user
has (what actions the user may do)

But now i want also security on “what” the user may see.

i have in my database ex. clients ids => 1 , 2, 3, 4 and 5
User 1 may only see id 1, 2 and 3
User 2 may only see id 2, 4 and 5
User 3 may only see id 3 and 5
…etc

anyone has a idea who to do this???
in this example there are 5 ids, but that can be easily 1000+

Thanks in advance
Nick

Brutyn_N · December 19, 2005, 6:18pm

you many want to implement this via associations

setup a join table clients_users and a habtm relationship between
clients
and users.

then only allow user X to view their associated clients.

(untested)

class ClientController < ApplicationController
def list
# only list current user’s clients
@clients = @session[:user].clients
end

def show
try
# limit find to only those clients that are associated with
current
user
# will raise a RecordNotFound exception if not found
@client = @session[:user].clients.find(params[:id])
rescue RecordNotFound
flash[:error] = “you don’t have access to view that client”
render :action => :list
end
end
end

Brutyn_N · December 20, 2005, 2:57pm

hey,

thanks for that, i was also thinking of that.

But if u have this situation:

Database has 1000 clients
User X may watch 1 to 500
Then u have 500 records in clients_users

Wont that affect the performence of my site ??

If anyone has any other suggestions, also welcome…

Thx
Nick

Brutyn_N · December 20, 2005, 3:33pm

depends on your queries, however querying for 500 records shouldn’t be a
big
performance hit, you can always populate some data and see how long the
queries are taking to execute.

On 12/20/05, Brutyn N. [email protected] wrote:

http://lists.rubyonrails.org/mailman/listinfo/rails

–
Steven R.
web application & interface developer
http://www.zerium.com
[phone] 404-488-4364

Brutyn_N · December 20, 2005, 5:40pm

same thing, different way

class ClientController < ApplicationController
def list
# only list current user’s clients
@clients = @session[:user].clients
end

def show
try
# load the client
@client = Client.find(@params[:id])

  # check if user is associated with the client
  if @client.users.include?(@session[:user])
    # user is associated
  else
    # user is not associated
    flash[:notice] = "user not associated with this client"
    redirect_to :action => :list
  end
 rescue RecordNotFound
  flash[:error] = "Cannot find client!!!"
  redirect_to :action => :list
end

end
end

Brutyn_N · December 21, 2005, 12:18pm

hey,

i’m trying to implement this stuff.

user x can acces client 1, client 2, client 4

i want this on my site, 2 list, one with the available clients, and the
other
with the clients the user can access
(i know this i more javascript, but does anyone has a great script for
this, i
found one but it isnt that good, some bugs i can find)

Select the clients that the user may access.
Available clients Selected clients
client 3 >> client 1
client 5 client 2
client 6 << client 4
client 7

Brutyn_N · December 22, 2005, 2:41pm

Hey,

i want to extend this security stuff

this is the situation:
User x can access all user or several user (ex user1, user 2, user 3)
In the client tab, u can search on clients and the query result is
display under
the search with pagination.

Now u can have 2 things:
-user may access all clients, displays all clients, search on name
brutyn, and
display the clients (normal situation)
-user may access user1, 2 and 3, displays those clients, search on
user1, and
now need to display user1 ( i need help for this => several clients +
search +
pagination)

this is in my controller

def list
#setting the charset to utf8 for displaying the wierd characters on the
page
output_to_html
#getting the firm id from the session
user = User.find(@session[:user].id)
@firm_id = @session[:user].firm_id
#checking if there is a post
if @request.post?
@name = params[:client][:name].blank? ? ‘’ : params[:client][:name]
@address1 = params[:client][:address1].blank? ? ‘’
:params[:client][:address1]
@zip = params[:client][:zip].blank? ? ‘’ : params[:client][:zip]
@city = params[:client][:city].blank? ? ‘’ : params[:client][:city]
@country = params[:client][:country].blank? ? ‘’ :
:params[:client][:country]
end

#getting the clients records depending on the given paramaters and
paginate it
@client_pages, @clients = paginate :client, :conditions => [‘firm_id = ?
and
name like ? and address1 like ? and zip like ? and city like ? and
country like
? and deleted like ?’, @firm_id, “%#{@name}%”, “%#{@address1}%”,
“%#{@zip}%”,
“%#{@city}%”, “%#{@country}%”,0] , :order_by => “name ASC”, :per_page =>
10

if user.has_permission(‘admin’) || user.view_all == 1
else
# only list current user’s clients
for client in user.clients
…check if user may be access, and is in the searched items
end
end

end