eggie5
2010-Jan-13 05:53 UTC
User a owns resource x; don''t let user b see user a''s resources...
I have a system of users who have many resources. For example a user many have many books, many friends, many items, etc. I have an authentication system in which users can login working just fine (authlogic). However, I have some default scaffold type pages for index. You can view a list of Users and a list of Book and a List of Friends. However when you go to the friends page the user can see the friends of all the other users too. Manually I could just modify all my index methods in the all the respective books friends items controllers to say current_user.friends.all, ... etc instead of Friends.all. But then still the user can view friends that aren''t theirs by just guessing the Id friends/32 I need a higher level system to enforce these rules. Not sure how to describe the design problem more simply is there a tool, method in place to handle such an issue. i would think like acts_as_resource (doesn''t exist) in the Friends model so that any can to Friends will make sure that the friend belongs to the user by association. This should be on the controller level though and not on the model I dont think. Any ideas? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Eduard Martini
2010-Jan-13 13:02 UTC
Re: User a owns resource x; don''t let user b see user a''s resources...
Don''t take the user id from the url. For example, don''t do this: url: /show_friends/5 code: Users.find(5).friends But do this: url: /show_friends code: current_user.friends where current_user is the currently auth user. You know who is logged in, don''t need to pass his id around. On Jan 13, 7:53 am, eggie5 <egg...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I have a system of users who have many resources. For example a user > many have many books, many friends, many items, etc. I have an > authentication system in which users can login working just fine > (authlogic). However, I have some default scaffold type pages for > index. You can view a list of Users and a list of Book and a List of > Friends. However when you go to the friends page the user can see the > friends of all the other users too. Manually I could just modify all > my index methods in the all the respective books friends items > controllers to say current_user.friends.all, ... etc instead of > Friends.all. But then still the user can view friends that aren''t > theirs by just guessing the Id friends/32 I need a higher level system > to enforce these rules. Not sure how to describe the design problem > more simply is there a tool, method in place to handle such an issue. > i would think like acts_as_resource (doesn''t exist) in the Friends > model so that any can to Friends will make sure that the friend > belongs to the user by association. This should be on the controller > level though and not on the model I dont think. > > Any ideas?-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Rick DeNatale
2010-Jan-13 22:12 UTC
Re: Re: User a owns resource x; don''t let user b see user a''s resources...
On Wed, Jan 13, 2010 at 8:02 AM, Eduard Martini <eduard.martini-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Don''t take the user id from the url. > > For example, don''t do this: > > url: > /show_friends/5 > code: > Users.find(5).friends > > But do this: > > url: > /show_friends > code: > current_user.friends > > where current_user is the currently auth user. You know who is logged > in, don''t need to pass his id around.And for the use case which the OP raised, which is the show action, it should be: def show friend = current_user.friends.find(params[:id]) end which scopes the find to the user''s friends. Similar comment for other actions like edit and update -- Rick DeNatale Blog: http://talklikeaduck.denhaven2.com/ Twitter: http://twitter.com/RickDeNatale WWR: http://www.workingwithrails.com/person/9021-rick-denatale LinkedIn: http://www.linkedin.com/in/rickdenatale -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
eggie5
2010-Jan-14 07:09 UTC
Re: User a owns resource x; don''t let user b see user a''s resources...
oh that''s a good solution friend = current_user.friends.find(params [:id]) i never though of that. search within the users friends for the requested it... thanks On Jan 14, 7:12 am, Rick DeNatale <rick.denat...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Wed, Jan 13, 2010 at 8:02 AM, Eduard Martini > > > > > > <eduard.mart...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > Don''t take the user id from the url. > > > For example, don''t do this: > > > url: > > /show_friends/5 > > code: > > Users.find(5).friends > > > But do this: > > > url: > > /show_friends > > code: > > current_user.friends > > > where current_user is the currently auth user. You know who is logged > > in, don''t need to pass his id around. > > And for the use case which the OP raised, which is the show action, it > should be: > > def show > friend = current_user.friends.find(params[:id]) > end > > which scopes the find to the user''s friends. Similar comment for > other actions like edit and update > > -- > Rick DeNatale > > Blog:http://talklikeaduck.denhaven2.com/ > Twitter:http://twitter.com/RickDeNatale > WWR:http://www.workingwithrails.com/person/9021-rick-denatale > LinkedIn:http://www.linkedin.com/in/rickdenatale-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.