I know I must simply be missing something, but I can''t find any kind of information on how to implement basic security in Rails. I mean, Rails is so easy to use to set up a CRUD structure, but how in the world do you protect the actions that handle the "create", "update" and "delete" functionality? Every tutorial that I have read on Rails so far simply leaves the entire structure open to any user.
You could mod the controller template to apply a custom before_filter (such as :login_required when using the salted hash login generator). It would be great to have something like: script/generate scaffold secure Model Having one user for all requests (with full CRUD privs) is dangerous and heightens the potential damage caused by any SQL Injection (or similar) exploits. This bit put me off rails for a while, as I''m quite conservative in the assignment of duties to DB users with the minimum required privs (for instance, a search function would leverage a user with SELECT privs only) I''ve seen (and found via creative googling) tons of database.yml files with root DB user/pass pairs, as well as plenty of scaffolded apps with zero protection. Security really should be a larger focus of the Rails sell and introduction. I''m not worried so much for folks like myself who will step outside of the defaults, but some people may be operating under a false sense of security. On Jul 11, 2005, at 5:07 PM, Ryan Jones wrote:> I know I must simply be missing something, but I can''t find any > kind of > information on how to implement basic security in Rails. > > I mean, Rails is so easy to use to set up a CRUD structure, but how in > the world do you protect the actions that handle the "create", > "update" > and "delete" functionality? Every tutorial that I have read on > Rails so > far simply leaves the entire structure open to any user. > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
On 7/11/05, Ryan Jones <ryan-qyX6PtzcItVBDgjK7y7TUQ@public.gmane.org> wrote:> I know I must simply be missing something, but I can''t find any kind of > information on how to implement basic security in Rails. > > I mean, Rails is so easy to use to set up a CRUD structure, but how in > the world do you protect the actions that handle the "create", "update" > and "delete" functionality? Every tutorial that I have read on Rails so > far simply leaves the entire structure open to any user.I don''t think there is a general way to implement this as it is often application specific. If you search the mailing list archives, you can find various dicussions of ACL-style systems for various purposes. At the lowest level of security, I''d suggest you include checks in the controller, as it is relatively straight forward to provide simple protections for actions that updates/deletes/inserts//etc in before_filters. Once you get that more or less working, you might want to consider adding some of that logic into model Observers (ACL-style stuffs). At least, that''s how I see it working in my head. I think a lot of this depends on the application. Can you provide more specific details on what goal you''re trying to accomplish? Do you have a system with user accounts where some accounts can edit some entries and other accounts can only view them? What are the requirements? Cheers, bs.
Ryan Jones <ryan-qyX6PtzcItVBDgjK7y7TUQ@public.gmane.org> writes:> I know I must simply be missing something, but I can''t find any kind > of information on how to implement basic security in Rails.Look for access control lists on the wiki. There''s been some discussion about it here on the list. The general consensus is that ACLs are fairly specific to each app and should be developed accordingly. That''s said, there''s the very basic login generator and the follow-on salted login generator to help with at least authentication if not some types of authorization. For myself, I have a very simple two-level authorization: either administrators can do anything or users can do almost nothing. Others have much more complex authorization rules. -- doug-jGAhs73c5XxeoWH0uzbU5w@public.gmane.org
On Jul 11, 2005, at 3:07 PM, Ryan Jones wrote:> I know I must simply be missing something, but I can''t find any > kind of > information on how to implement basic security in Rails. > > I mean, Rails is so easy to use to set up a CRUD structure, but how in > the world do you protect the actions that handle the "create", > "update" > and "delete" functionality? Every tutorial that I have read on > Rails so > far simply leaves the entire structure open to any user. >I usually write 2 rails apps for a web site, the normal user app and the admin app. Each one has a different database.yml file so the normal user accesses the database with a database user that has select access to most tables while the admin user accesses the database with a user that has select, insert, update, and delete access to most tables. Neither one of these users has the ability to create or drop databases, nor do they have the ability to change the structure of the database. These functions are reserved to the developer of the app(s). So far, I have not needed to have more than 2 levels of access so I have not resorted to doing some kind of ACL based solution yet. Kim -- Kim Shrier - principal, Shrier and Deihl - mailto:kim-7lDDVWa6PKfQT0dZR+AlfA@public.gmane.org Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/
I do this: 1) use a filter on ''secure'' pages to ensure the session has a valid user id 2) render secure links in the view based on a simple acl linked to the session user id 3) put an acl check in secure actions and redirect if user has no right to action 4) traverse the db using the user as a root where model security is needed -----Original Message----- From: rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org [mailto:rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org] On Behalf Of Ryan Jones Sent: Tuesday, 12 July 2005 7:07 AM To: rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org Subject: [Rails] General security I know I must simply be missing something, but I can''t find any kind of information on how to implement basic security in Rails. I mean, Rails is so easy to use to set up a CRUD structure, but how in the world do you protect the actions that handle the "create", "update" and "delete" functionality? Every tutorial that I have read on Rails so far simply leaves the entire structure open to any user. _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
On Mon, 2005-07-11 at 15:16 -0600, Ben Schumacher wrote:> I think a lot of this depends on the application. Can you provide more > specific details on what goal you''re trying to accomplish? Do you have > a system with user accounts where some accounts can edit some entries > and other accounts can only view them? What are the requirements?All I need on my current app are two levels of authentication - one for general users, and another for the admins (and there are only two of us). As such, I really want to avoid the use of sessions for security. Seems like overkill when I don''t need a role-based system or have login for users. Kim''s suggestion of actually writing a separate Rails app for the admins sounds like the simplest route to go for my requirements. Any comments on that? Thanks for all the replies.
Actually, couldn''t I just put an authentication method in application.rb, and then do "before_filter :log_in, only => [:new, :edit, :create]" ? On Tue, 2005-07-12 at 08:02 +0300, Ryan Jones wrote:> On Mon, 2005-07-11 at 15:16 -0600, Ben Schumacher wrote: > > I think a lot of this depends on the application. Can you provide more > > specific details on what goal you''re trying to accomplish? Do you have > > a system with user accounts where some accounts can edit some entries > > and other accounts can only view them? What are the requirements? > > All I need on my current app are two levels of authentication - one for > general users, and another for the admins (and there are only two of > us). > > As such, I really want to avoid the use of sessions for security. Seems > like overkill when I don''t need a role-based system or have login for > users. > > Kim''s suggestion of actually writing a separate Rails app for the admins > sounds like the simplest route to go for my requirements. Any comments > on that? > > Thanks for all the replies. > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >