Hello,
I have a security schema for all kinds of items in my application
(pages, logs, links, ...). Basically it works as follows :
readable_by can be either ''a'' (all) ''g''
(group) or ''u'' (owner). If it
is group then rgroup_id is set.
writable_by can be either ''a'', ''g'' or
''u''. If it is ''g'' for
''group'',
wgroup_id is set.
a user can read
* all posts he created (independantly of the readable_by flag)
* he has access to from the groups he is (rgroup_id in ...)
* all public posts (readable_by all)
the same works for write access.
I want to be absolutely sure a bug in my controller can not override
my security schema. This is what I did, but I am not sure if there
could be a more elegant way to do this. I would love to override
''find'', but it loops on it-self...
Any clues on this problem ? Is this way of implementing Security in
the Model correct ?
Thanks for your answers,
Gaspard
module ApplicationHelper
class ActiveRecord::Base
def self.sfind(session, *args)
#... (change args depending on session parameters)
#... the change looks like (my code has some error checking
not shown and handles the case where no user is logged in)
args[1][:conditions][0] = args[1][:conditions][0].to_s + " AND
( readable_by = ''a'' OR (readable_by = ''g''
AND rgroup_id IN (#{session
[:user_groups]})) OR user_id = ''#{user_id}'') "
# ...
self.find(*args)
end
def writable?(session)
... return true or false depending on session and attributes
end
end
end
