Activate and suspend i took from restful_authentication and its acts_as_state_machine plugin, which handles records in states as string. The problem with using update, is that the permission is too generic: for example: activate: it's only authorized if user is not deleted nor active. But you can't put that in a "def authorized_for_update?" since you don't know in the model which is the real action (it isn't passed as parameter and using active_scaffold_session_storage is unpredictable and ugly).
On the example you tell as posible issue, it doesn't affect since "suspend" action updates the record but is not the default "update" provided by AS which accepts parameters in many ways and thus making it vulnerable. "suspend" (or any other action different to crud actions) is an action that must be defined by the developer in the controller, and it's his concern to control the parameters he/she may accept, or use the same convention if wanted: def id_authorized_for_suspend? well, doesn't make sense in this example, but if applies, it's a new feature :) On Tue, Jul 7, 2009 at 3:52 PM, Kenny Ortmann <[email protected]>wrote: > The way ActiveScaffold works I don't see any reason for it to check any > other type of action. > All of the things you just listed can be classified as a crud type, > activate - update, > suspend - update, > pdf - read, > review - read, > comment - create, > diggit. - probably create > > You can set the crud type on your action_links to be one of these values. > > One thing that I could see being an issue. > Say on my model I have: > > def id_authorized_for_update? > return false > end > > Which means any action with the crud type of update will not be allowed to > change my id column. > > If the line you are suggesting is removed then say suspend is an action > that updates the record, the ID column could now be updated in this method. > > This might be a far fetched scenario, but this is one of the reasons the > security is the way it is. > > ~Kenny > > > On Tue, Jul 7, 2009 at 1:03 PM, Hernan Astudillo <[email protected]> wrote: > >> Hi all, >> Is there a reason to block authorized_for? to only the 4 crud actions? >> i mean this line in active_scaffold_permissions.rb: >> def authorized_for?(options = {}) >> raise ArgumentError, "unknown action #{options[:action]}" if >> options[:action] and ![:create, :read, :update, >> :destroy].include?(options[:action]) >> >> It would be nice to allow any action to pass through this security >> structure. For example, use security for many posible actions that apply >> like activate, suspend, pdf, review, comment, diggit... >> >> I checked the code and i don't see anything that could be affected by >> passing any other actions as parameter. However, in the view >> (_list_actions.html.erb) it doesn't look so good to be using "crud_type" as >> the action to be checked against to, instead of the real :action parameter, >> but changing that might need double checking for backward compatibility >> issues. I just say commenting out that raise ArgumentError which does >> nothing. >> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "ActiveScaffold : Ruby on Rails plugin" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/activescaffold?hl=en -~----------~----~----~----~------~----~------~--~---
