hey, i have maded some security in my website based on http://www.chaconforcongress.com/accounts/login Here they work with users, roles and persmission, and they check it like this, user.has_permission(permission). I have extended this to: users and groups with roles and permissions. With permissions like "view records","edit records","delete records",... def has_permission(permission) @permissions = Hash.new(false) for group in self.groups for role in group.roles for perm in role.permissions if perm.name == permission return true end end end end false end All this works good. But all this security is based on the type of role the user has (what actions the user may do) But now i want also security on "what" the user may see. i have in my database ex. clients ids => 1 , 2, 3, 4 and 5 User 1 may only see id 1, 2 and 3 User 2 may only see id 2, 4 and 5 User 3 may only see id 3 and 5 ....etc anyone has a idea who to do this??? in this example there are 5 ids, but that can be easily 1000+ Thanks in advance Nick
you many want to implement this via associations
setup a join table clients_users and a habtm relationship between clients
and users.
then only allow user X to view their associated clients.
(untested)
class ClientController < ApplicationController
def list
# only list current user''s clients
@clients = @session[:user].clients
end
def show
try
# limit find to only those clients that are associated with current
user
# will raise a RecordNotFound exception if not found
@client = @session[:user].clients.find(params[:id])
rescue RecordNotFound
flash[:error] = "you don''t have access to view that
client"
render :action => :list
end
end
end
On 12/19/05, Brutyn Nick
<brutyn_nick-PkbjNfxxIARBDgjK7y7TUQ@public.gmane.org>
wrote:>
> hey, i have maded some security in my website based on
> http://www.chaconforcongress.com/accounts/login
>
> Here they work with users, roles and persmission, and they check it like
> this,
> user.has_permission(permission).
>
> I have extended this to: users and groups with roles and permissions.
> With permissions like "view records","edit
records","delete records",...
>
> def has_permission(permission)
> @permissions = Hash.new(false)
> for group in self.groups
> for role in group.roles
> for perm in role.permissions
> if perm.name == permission
> return true
> end
> end
> end
> end
> false
> end
>
> All this works good. But all this security is based on the type of role
> the user
> has (what actions the user may do)
>
> But now i want also security on "what" the user may see.
>
> i have in my database ex. clients ids => 1 , 2, 3, 4 and 5
> User 1 may only see id 1, 2 and 3
> User 2 may only see id 2, 4 and 5
> User 3 may only see id 3 and 5
> ....etc
>
> anyone has a idea who to do this???
> in this example there are 5 ids, but that can be easily 1000+
>
> Thanks in advance
> Nick
>
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails
hey, thanks for that, i was also thinking of that. But if u have this situation: Database has 1000 clients User X may watch 1 to 500 Then u have 500 records in clients_users Wont that affect the performence of my site ?? If anyone has any other suggestions, also welcome... Thx Nick
depends on your queries, however querying for 500 records shouldn''t be a big performance hit, you can always populate some data and see how long the queries are taking to execute. On 12/20/05, Brutyn Nick <brutyn_nick-PkbjNfxxIARBDgjK7y7TUQ@public.gmane.org> wrote:> > hey, > > thanks for that, i was also thinking of that. > > But if u have this situation: > > Database has 1000 clients > User X may watch 1 to 500 > Then u have 500 records in clients_users > > Wont that affect the performence of my site ?? > > If anyone has any other suggestions, also welcome... > > Thx > Nick > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Steven Ross web application & interface developer http://www.zerium.com [phone] 404-488-4364 _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
same thing, different way
class ClientController < ApplicationController
def list
# only list current user''s clients
@clients = @session[:user].clients
end
def show
try
# load the client
@client = Client.find(@params[:id])
# check if user is associated with the client
if @client.users.include?(@session[:user])
# user is associated
else
# user is not associated
flash[:notice] = "user not associated with this client"
redirect_to :action => :list
end
rescue RecordNotFound
flash[:error] = "Cannot find client!!!"
redirect_to :action => :list
end
end
end
On 12/20/05, Steven Ross
<nowhiding-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:>
> depends on your queries, however querying for 500 records
shouldn''t be a
> big performance hit, you can always populate some data and see how long the
> queries are taking to execute.
>
> On 12/20/05, Brutyn Nick
<brutyn_nick-PkbjNfxxIARBDgjK7y7TUQ@public.gmane.org> wrote:
> >
> > hey,
> >
> > thanks for that, i was also thinking of that.
> >
> > But if u have this situation:
> >
> > Database has 1000 clients
> > User X may watch 1 to 500
> > Then u have 500 records in clients_users
> >
> > Wont that affect the performence of my site ??
> >
> > If anyone has any other suggestions, also welcome...
> >
> > Thx
> > Nick
> >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>
>
> --
> Steven Ross
> web application & interface developer
> http://www.zerium.com
> [phone] 404-488-4364
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails
hey, i''m trying to implement this stuff. user x can acces client 1, client 2, client 4 i want this on my site, 2 list, one with the available clients, and the other with the clients the user can access (i know this i more javascript, but does anyone has a great script for this, i found one but it isnt that good, some bugs i can find) Select the clients that the user may access. Available clients Selected clients client 3 >> client 1 client 5 client 2 client 6 << client 4 client 7
Hey,
i want to extend this security stuff
this is the situation:
User x can access all user or several user (ex user1, user 2, user 3)
In the client tab, u can search on clients and the query result is display under
the search with pagination.
Now u can have 2 things:
-user may access all clients, displays all clients, search on name brutyn, and
display the clients (normal situation)
-user may access user1, 2 and 3, displays those clients, search on user1, and
now need to display user1 ( i need help for this => several clients + search
+
pagination)
this is in my controller
def list
#setting the charset to utf8 for displaying the wierd characters on the page
output_to_html
#getting the firm id from the session
user = User.find(@session[:user].id)
@firm_id = @session[:user].firm_id
#checking if there is a post
if @request.post?
@name = params[:client][:name].blank? ? '''' :
params[:client][:name]
@address1 = params[:client][:address1].blank? ? ''''
:params[:client][:address1]
@zip = params[:client][:zip].blank? ? '''' :
params[:client][:zip]
@city = params[:client][:city].blank? ? '''' :
params[:client][:city]
@country = params[:client][:country].blank? ? '''' :
:params[:client][:country]
end
#getting the clients records depending on the given paramaters and paginate it
@client_pages, @clients = paginate :client, :conditions => [''firm_id
= ? and
name like ? and address1 like ? and zip like ? and city like ? and country like
? and deleted like ?'', @firm_id, "%#{@name}%",
"%#{@address1}%", "%#{@zip}%",
"%#{@city}%", "%#{@country}%",0] , :order_by =>
"name ASC", :per_page => 10
if user.has_permission(''admin'') || user.view_all == 1
else
# only list current user''s clients
for client in user.clients
.....check if user may be access, and is in the searched items
end
end
end