I am using the standard login controller that ships with RoR to authenticate users in my application. In my app, Users belong to Clients, Clients have Projects that users are assigned to (stored in a stakeholder table with user_id and project_id columns) , then each project has a bunch of folders and assets (file uploads). So currently I have urls that look like /project/show/12 etc. I want to stop users from typing in something like /project/show/24 and viewing projects and folders that they are not assigned to...whats the best way to go about this, given that a user might be assigned to projects with :id 12, 14, 27 etc, but perhaps not 24 (pls bear in mind I''m still a relative beginner with RoR, so verbose answers welcome ;) thanks -- Posted via http://www.ruby-forum.com/.
Something like if !StakeHolder.find_by_user_id_and_project_id(session[:user_id], params[:project_id]) # Not yours, redirect or something. end in the project controller list method might work, but I am as new as you!!! - Ian On 2/1/06, robbie shepherd <robbie.shepherd@gmail.com> wrote:> I am using the standard login controller that ships with RoR to > authenticate users in my application. In my app, Users belong to > Clients, Clients have Projects that users are assigned to (stored in a > stakeholder table with user_id and project_id columns) , then each > project has a bunch of folders and assets (file uploads). > > So currently I have urls that look like /project/show/12 etc. I want to > stop users from typing in something like /project/show/24 and viewing > projects and folders that they are not assigned to...whats the best way > to go about this, given that a user might be assigned to projects with > :id 12, 14, 27 etc, but perhaps not 24 > > (pls bear in mind I''m still a relative beginner with RoR, so verbose > answers welcome ;) > > thanks > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- "Her faults were those of her race and sex; her virtues were her own. Farewell, and if for ever - " -- "Travels with a Donkey in the Cevennes" by Robert Louis Stevenson
robbie shepherd
2006-Feb-01 22:57 UTC
[Rails] Re: Locking out users from certain records/urls
thanks Ian, I''ll give that a whirl... -- Posted via http://www.ruby-forum.com/.
Siva Jagadeesan
2006-Feb-02 17:12 UTC
[Rails] Re: Locking out users from certain records/urls
You could create User of different roles and check whether a user can look at a particular record. For example you can User class and Admin (which inherits User) Class. Both have permission classes. When loggin in instantiate according user role ( User or Admin using inheritance column) In ur permission class for User def check_user_have_access? (project) return project.user.id == user.id end In ur Admin permission class def check_user_have_access? (project) return true end This way Admin will be able to see all projects and Users can see projects only they own. <This approach is used in RForum. Check out their source code. It is a pretty simple approach and works grear> -- Rgds, --Siva Jagadeesan http://www.varcasa.com/ My First Rails Project. Education Through Collabration -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060202/1b75b4fd/attachment.html
Kelly Dwight Felkins
2006-Feb-02 17:55 UTC
[Rails] Re: Locking out users from certain records/urls
This is the ''authorized user/unauthorized access'' problem. In many systems you have user that are authorized to use the system, but not authorized to see other users data. It can be a real challenge. In my opinion you are asking for trouble if you rely on UI/controller code to check this for you. I think this is the equivalent of putting access checking into an editor to make sure that non-privileged users can''t edit ''/etc/passwd''. Sooner or later you or someone that follows you will miss something and someone will peek at someone else''s stuff. If the stuff is sensitive you may have a real problem. If it is a commercial site you may loose all your customers. Instead you want to push this down below the UI. Sure you put checks in the UI - but if you miss one, you want something below to throw an exception. Move that logic into your models. Make your models user aware, then override methods that you want to protect and add the user access checking there. This is a little more work initially, but you will sleep better in the long run. -Kelly On 2/2/06, Siva Jagadeesan <sivajagdev@gmail.com> wrote:> > > You could create User of different roles and check whether a user can look > at a particular record. > > For example you can > > User class and Admin (which inherits User) Class. Both have permission > classes. > > When loggin in instantiate according user role ( User or Admin using > inheritance column) > > In ur permission class for User > > def check_user_have_access? (project) > return project.user.id == user.id > end > > In ur Admin permission class > def check_user_have_access? (project) > return true > end > > > This way Admin will be able to see all projects and Users can see projects > only they own. > > <This approach is used in RForum. Check out their source code. It is a > pretty simple approach and works grear> > > > -- > Rgds, > --Siva Jagadeesan > http://www.varcasa.com/ > My First Rails Project. > Education Through Collabration > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060202/3e0b4f65/attachment.html