I know there's been a discussion about this somewhere, but I can't remember where. Perhaps some of the older members of the group can speak up.
The hobo permission system has attribute granularity, not model granularity. So you can limit access to every attribute in the model, but not to the model itself. A couple of things will help, though: 1) remove the standard rails default routes from the bottom of your config/routes.rb file. That'll remove a few inadvertant security holes. 2) Use the hobo admin subsite capability and move the ip address pages into the admin controller. Documentation for which appears a couple of days ago: http://cookbook.hobocentral.net/tutorials/subsite An alternative to my #2 and your #2 is to wrap the IpAddress index.dryml etc in something like <if test="¤t_user.administrator?"> <index-page> .... </index-page> </if> <else> Access Denied! </else> Not particularly more elegant than your #2, but an alternative. Bryan Patrick Fitzgerald wrote: > Hi All, > > I manged to achieve what I wanted to. The way I did it was a mixture of > Rails and Hobo. First up I got hid the nav item from unprivileged users > using the Rapid *"if"* tag like so: > > 1. Redefined the main-nav tag in application.dryml: > > <def tag="main-nav"> > <navigation class="main-nav" merge-attrs param="default"> > <nav-item href="#{base_url}/">Home</nav-item> > <if test="¤t_user.administrator?" > > <nav-item with="&IpAddress">IP Addresses</nav-item> > </if> > <nav-item with="&Machine">Machines</nav-item> > </navigation> > </def> > > This line will ensure only admin users can see the tab: > <if test="¤t_user.administrator?" > > > That's all well and good but if someone knows or guesses the URL then > they can still gain read access to the data which isn't very secure. > For example: http://127.0.0.1:3000/ip_addresses would still show all of > the IP Addresses. > > In order to get around that I created a before filter which I placed at > the head of the IP Address controller. This code checks the user level > and redirects if someone is trying to be somewhere they shouldn't be. > > 2. The code for the IP Address controller: > > class IpAddressesController < ApplicationController > * **before_filter** **:check_user_level* > * > * > * **def check_user_level* > * **puts "\n\n\n!!!AUTHORIZING!!!\n\n\n"* > * **puts "Is admin user?: #{current_user.administrator?}\n\n\n"* > * * > * # If the user doesn't have the required access send > them on their way.* > * **if !current_user.administrator?* > * **flash[:notice] = "You don't have the required access to be here. I > cast thee out!"* > * **redirect_to "/"** * > * **end* > * **end* > > hobo_model_controller > > auto_actions :all > > end > > This approach works a treat to solve the problem I described earlier in > this thread. I hope that this helps someone out in solving a similar > problem. > > The downside of this is that it doesn't user the Hobo permissions system > at all. I would really like to know the Hobo way to solve this problem > and welcome any comments or suggestions. > > Cheers, > Patrick > > On Fri, Nov 20, 2009 at 11:35 AM, Patrick Fitzgerald > <[email protected] <mailto:[email protected]>> wrote: > > Hi Adam/All, > I'll try to give as much information as possible. I am looking > for the Hobo way to fix this problem. I have attached an image > which shows what I am trying to do. Basically I have an ip address > model which I only want the admin to have access to. That includes > viewing. I don't want any other user to be even aware of the ip > address model! :) > > Here's the relevant code: > > 1. New index page defined in application.dryml > > <def tag="index-page" for="IpAddress"> > <page merge title="Ip Addresses"> > <body: class="index-page ip-address" param/> > > <content: param> > <header param="content-header"> > <h2 param="heading">Ip Addresses</h2> > > <p param="count" if>There <count prefix="are"/></p> > </header> > > <section param="content-body"> > > <a action="new" to="&model" param="new-link"/> > > <page-nav param="top-page-nav"/> > > <table-plus fields="this" > > <% puts "What is this: #[email protected]}" %> > </table-plus> > > <collection param /> > <page-nav param="bottom-page-nav"/> > > > </section> > </content:> > </page> > </def> > > 2. IP Address model: > > class IpAddress < ActiveRecord::Base > > hobo_model # Don't put anything above this > > fields do > ip_address :string, :name => true > timestamps > end > > belongs_to :machine > > # --- Permissions --- # > > def create_permitted? > acting_user.administrator? > end > > def update_permitted? > acting_user.administrator? > end > > def destroy_permitted? > acting_user.administrator? > end > > def view_permitted?(field) > acting_user.administrator? > #true > end > > end > > Everything else is stock Hobo stuff. If you need anything else form > me let me know. > > Thanks, > Patrick > > > > On Thu, Nov 19, 2009 at 11:56 PM, Adam Grant <[email protected] > <mailto:[email protected]>> wrote: > > What does your controller/view code look like? Are you using the > hobo methods in your controller/view? Some code pasting would be > great! > > -- > Adam Grant > Lead Web Engineer > Telaeris, Inc. > [email protected] <mailto:[email protected]> > (858) 627-9710 > > > On Thu, Nov 19, 2009 at 3:43 PM, Patrick Fitzgerald > <[email protected] <mailto:[email protected]>> wrote: > > Hi all, > This is probably really simple but... > > I want to prevent a user from accessing a tab and anything > at all to do with a model. I have tried changing the code to: > > def view_permitted?(field) > acting_user.administrator? > end > > which didn't affect a normal user's ability to view the > page. I've also tried to force it using: > > def view_permitted?(field) > false > end > > Am I missing something obvious?! > > Thanks for all help! > > Patrick > > -- > > You received this message because you are subscribed to the > Google Groups "Hobo Users" group. > To post to this group, send email to > [email protected] <mailto:[email protected]>. > To unsubscribe from this group, send email to > [email protected] > <mailto:hobousers%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/hobousers?hl=. > > > -- > > You received this message because you are subscribed to the > Google Groups "Hobo Users" group. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > To unsubscribe from this group, send email to > [email protected] > <mailto:hobousers%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/hobousers?hl=. > > > > -- > > You received this message because you are subscribed to the Google > Groups "Hobo Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/hobousers?hl=. -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/hobousers?hl=.
