I want to make my controller only show records for view, edit and destroy that belong to their owner (the user who created it). My question - My first guess would be to perhaps create a filter for the "show" action. Thus presenting the user with only their own records. Does this make sense ? And, is it possible for a hacker to send a request like ''7;edit'' (when 7 doesn''t belong to them). So, perhaps I need to code all the actions for the right user ? TIA Stuart -- http://en.wikipedia.org/wiki/Dark_ambient --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 9/20/06, Dark Ambient <sambient-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I want to make my controller only show records for view, edit and > destroy that belong to their owner (the user who created it). > My question - My first guess would be to perhaps create a filter for > the "show" action. Thus presenting the user with only their own > records. Does this make sense ? And, is it possible for a hacker to > send a request like ''7;edit'' (when 7 doesn''t belong to them). So, > perhaps I need to code all the actions for the right user ? > > TIA > Stuart > > --Update - I''m thinking that probably the best way to approach this is via an option in the map.resources call in routes.rb. ? Maybe ? Stuart --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Trebuchet MS">i use the meantime_filter plugin to
scope the
active records in question. It''s like having a before and after filter
in one method, so you can yield a block. In the example below the
require_user method is called first and creates the @user object. Then
the show action is called, but it is called within the attach_scope
method which scopes the records so only those belonging to the user are
shown.<br>
<br>
</font><tt>class JobsController <
ApplicationController<br>
before_filter :require_user<br>
meantime_filter :attach_scope<br>
<br>
def show<br>
@jobs.find(:all) # This will
only retrieve the users jobs<br>
end<br>
<br>
private<br>
def require_user<br>
@user =
User.find(params[:user])<br>
if not @user or not
@user.enabled; render :partial =>
"users/disabled"; return; end<br>
end<br>
<br>
def attach_scope<br>
Job.with_scope(:find
=> {:conditions => ["user_id = ?",
@user.id]}) do<br>
yield<br>
end<br>
end<br>
end</tt><font face="Trebuchet MS"><br>
<br>
</font><br>
Dark Ambient wrote:
<blockquote
cite="mid8bd5d6760609200815r7b7a5b81ja2351d9cfabedc52-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org"
type="cite">
<pre wrap="">On 9/20/06, Dark Ambient <a
class="moz-txt-link-rfc2396E"
href="mailto:sambient-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org"><sambient-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org></a>
wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I want to make my controller only show records
for view, edit and
destroy that belong to their owner (the user who created it).
My question - My first guess would be to perhaps create a filter for
the "show" action. Thus presenting the user with only their own
records. Does this make sense ? And, is it possible for a hacker to
send a request like ''7;edit'' (when 7 doesn''t belong
to them). So,
perhaps I need to code all the actions for the right user ?
TIA
Stuart
--
</pre>
</blockquote>
<pre wrap=""><!---->Update - I''m thinking that
probably the best way to approach this is
via an option in the map.resources call in routes.rb. ? Maybe ?
Stuart
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div> </div>
<style>
A { color: blue; text-decoration: none; }
A:hover { color: red; }
#sig {
font-family: verdana, tahoma;
font-size: small;
border-top: 2px solid #AAAABB;
padding: 4px;
color: black;
}
#info {
padding: 4px;
font-family: verdana, tahoma;
font-size: 8pt;
color: black;
}
</style>
<div id="sig"> <strong>Jeremy
Wells</strong><br>
Serval Systems Ltd.
</div>
<br>
<div id="info"> <a
href="http://www.servalsystems.co.uk">www.servalsystems.co.uk</a><br>
Tel: 01342 331940<br>
Fax: 01342 331950<br>
</div>
</div>
<br>
--~--~---------~--~----~------------~-------~--~----~<br>
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group. <br> To post to this group,
send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
<br> To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org <br>
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk <br>
-~----------~----~----~----~------~----~------~--~---<br>
</body>
</html>
<br>
On 2006-09-20, at 12:04 , Dark Ambient wrote:> I want to make my controller only show records for view, edit and > destroy that belong to their owner (the user who created it). > My question - My first guess would be to perhaps create a filter for > the "show" action. Thus presenting the user with only their own > records. Does this make sense ? And, is it possible for a hacker to > send a request like ''7;edit'' (when 7 doesn''t belong to them). So, > perhaps I need to code all the actions for the right user ?Always work from the user: @application.rb def current_user User.find(session[:user_id]) end @record_controller def edit current_user.records.find(params[:id]) end --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 9/20/06, Jeremy Wells <jwells-cH1Rxhrj+4a/3pe1ocb+s/XRex20P6io@public.gmane.org> wrote:> > i use the meantime_filter plugin to scope the active records in question. > It''s like having a before and after filter in one method, so you can yield a > block. In the example below the require_user method is called first and > creates the @user object. Then the show action is called, but it is called > within the attach_scope method which scopes the records so only those > belonging to the user are shown. > > class JobsController < ApplicationController > before_filter :require_user > meantime_filter :attach_scope > > def show > @jobs.find(:all) # This will only retrieve the users jobs > end > > private > def require_user > @user = User.find(params[:user]) > if not @user or not @user.enabled; render :partial => > "users/disabled"; return; end > end > > def attach_scope > Job.with_scope(:find => {:conditions => ["user_id = ?", @user.id]}) > do > yield > end > end > end > >This seems to be a nice solution. I received a few errors and sort of bailed on it for the time being, ONLY because I already have a number of before_filters in the controller. I thought if I could combine the user.id into them it might work. This is my before filter - protected def find_cdetail begin @cdetail = Cdetail.find(params[:id]) rescue flash.now[:warning] = ''Error, Invalid ID'' logger.error("RescueAttemptToFindInvalidID#{params[:id]}") end end and I tried doing something like this: protected def find_cdetail id = params[:id] user = current_user.id begin @cdetail = Cdetail.find(:all, :conditions =>["id = :id and user_id = :user", {:id => id, :user => user => user_id}]) .................... end However it doesn''t seem to be work as expected. Stuart --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---