Forum: Ruby on Rails Locking out users from certain records/urls

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
5a992f256f765f8ee3dbb2af9d3db4e0?d=identicon&s=25 Robbie Shepherd (robbie)
on 2006-02-01 23:42
I am using the standard login controller that ships with RoR to
authenticate users in my application. In my app, Users belong to
Clients, Clients have Projects that users are assigned to (stored in a
stakeholder table with user_id and project_id columns) , then each
project has a bunch of folders and assets (file uploads).

So currently I have urls that look like /project/show/12 etc. I want to
stop users from typing in something like /project/show/24 and viewing
projects and folders that they are not assigned to...whats the best way
to go about this, given that a user might be assigned to projects with
:id 12, 14, 27 etc, but perhaps not 24

(pls bear in mind I'm still a relative beginner with RoR, so verbose
answers welcome ;)

thanks
8ed6d55dddf47e0974bac833f08e4390?d=identicon&s=25 Ian Harding (Guest)
on 2006-02-01 23:52
(Received via mailing list)
Something like

if !StakeHolder.find_by_user_id_and_project_id(session[:user_id],
params[:project_id])
  # Not yours, redirect or something.
end

in the project controller list method might work, but I am as new as
you!!!

- Ian

On 2/1/06, robbie shepherd <robbie.shepherd@gmail.com> wrote:
> :id 12, 14, 27 etc, but perhaps not 24
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


--
"Her faults were those of her race and sex; her virtues were her own.
Farewell, and if for ever - "

-- "Travels with a Donkey in the Cevennes" by Robert Louis Stevenson
5a992f256f765f8ee3dbb2af9d3db4e0?d=identicon&s=25 Robbie Shepherd (robbie)
on 2006-02-01 23:57
thanks Ian, I'll give that a whirl...
33bb150cf13d87bce4e80569ca317647?d=identicon&s=25 Siva Jagadeesan (Guest)
on 2006-02-02 18:13
(Received via mailing list)
You could create User of different roles and check whether a user can
look
at a particular record.

For example you can

User class and Admin (which inherits User) Class. Both have permission
classes.

When loggin in instantiate according user role ( User or Admin using
inheritance column)

In ur permission class for User

def check_user_have_access? (project)
   return project.user.id == user.id
end

In ur Admin permission class
def check_user_have_access? (project)
   return true
end


This way Admin will be able to see all projects and Users can see
projects
only they own.

<This approach is used in RForum. Check out their source code. It is a
pretty simple approach and works grear>


--
Rgds,
--Siva Jagadeesan
http://www.varcasa.com/
My First Rails Project.
Education Through Collabration
6559f9b9607a89074ea5e238d31ffbc2?d=identicon&s=25 Kelly Dwight Felkins (Guest)
on 2006-02-02 18:58
(Received via mailing list)
This is the 'authorized user/unauthorized access' problem. In many
systems
you have user that are authorized to use the system, but not authorized
to
see other users data. It can be a real challenge.

In my opinion you are asking for trouble if you rely on UI/controller
code
to check this for you. I think this is the equivalent of putting access
checking into an editor to make sure that non-privileged users can't
edit
'/etc/passwd'.
Sooner or later you or someone that follows you will miss something and
someone will peek at someone else's stuff. If the stuff is sensitive you
may
have a real problem. If it is a commercial site you may loose all your
customers.

Instead you want to push this down below the UI. Sure you put checks in
the
UI - but if you miss one, you want something below to throw an
exception.

Move that logic into your models. Make your models user aware, then
override
methods that you want to protect and add the user access checking there.

This is a little more work initially, but you will sleep better in the
long
run.

-Kelly
This topic is locked and can not be replied to.