Hi Bryan,
Thanks for the advice, I spotted the admin subsite stuff but haven't got
around to trying it out yet!
Cheers,
Patrick
On Fri, Nov 20, 2009 at 3:28 PM, Bryan Larsen <[email protected]>wrote:
> I know there's been a discussion about this somewhere, but I can't
> remember where. Perhaps some of the older members of the group can
> speak up.
>
> The hobo permission system has attribute granularity, not model
> granularity. So you can limit access to every attribute in the model,
> but not to the model itself.
>
> A couple of things will help, though:
>
> 1) remove the standard rails default routes from the bottom of your
> config/routes.rb file. That'll remove a few inadvertant security holes.
>
> 2) Use the hobo admin subsite capability and move the ip address pages
> into the admin controller. Documentation for which appears a couple of
> days ago: http://cookbook.hobocentral.net/tutorials/subsite
>
> An alternative to my #2 and your #2 is to wrap the IpAddress index.dryml
> etc in something like
>
> <if test="¤t_user.administrator?">
> <index-page>
> ....
> </index-page>
> </if>
> <else>
> Access Denied!
> </else>
>
> Not particularly more elegant than your #2, but an alternative.
>
> Bryan
>
>
> Patrick Fitzgerald wrote:
> > Hi All,
> >
> > I manged to achieve what I wanted to. The way I did it was a mixture of
> > Rails and Hobo. First up I got hid the nav item from unprivileged users
> > using the Rapid *"if"* tag like so:
> >
> > 1. Redefined the main-nav tag in application.dryml:
> >
> > <def tag="main-nav">
> > <navigation class="main-nav" merge-attrs param="default">
> > <nav-item href="#{base_url}/">Home</nav-item>
> > <if test="¤t_user.administrator?" >
> > <nav-item with="&IpAddress">IP Addresses</nav-item>
> > </if>
> > <nav-item with="&Machine">Machines</nav-item>
> > </navigation>
> > </def>
> >
> > This line will ensure only admin users can see the tab:
> > <if test="¤t_user.administrator?" >
> >
> > That's all well and good but if someone knows or guesses the URL then
> > they can still gain read access to the data which isn't very secure.
> > For example: http://127.0.0.1:3000/ip_addresses would still show all of
> > the IP Addresses.
> >
> > In order to get around that I created a before filter which I placed at
> > the head of the IP Address controller. This code checks the user level
> > and redirects if someone is trying to be somewhere they shouldn't be.
> >
> > 2. The code for the IP Address controller:
> >
> > class IpAddressesController < ApplicationController
> > * **before_filter** **:check_user_level*
> > *
> > *
> > * **def check_user_level*
> > * **puts "\n\n\n!!!AUTHORIZING!!!\n\n\n"*
> > * **puts "Is admin user?: #{current_user.administrator?}\n\n\n"*
> > * *
> > * # If the user doesn't have the required access send
> > them on their way.*
> > * **if !current_user.administrator?*
> > * **flash[:notice] = "You don't have the required access to be here. I
> > cast thee out!"*
> > * **redirect_to "/"** *
> > * **end*
> > * **end*
> >
> > hobo_model_controller
> >
> > auto_actions :all
> >
> > end
> >
> > This approach works a treat to solve the problem I described earlier in
> > this thread. I hope that this helps someone out in solving a similar
> > problem.
> >
> > The downside of this is that it doesn't user the Hobo permissions system
> > at all. I would really like to know the Hobo way to solve this problem
> > and welcome any comments or suggestions.
> >
> > Cheers,
> > Patrick
> >
> > On Fri, Nov 20, 2009 at 11:35 AM, Patrick Fitzgerald
> > <[email protected] <mailto:[email protected]>> wrote:
> >
> > Hi Adam/All,
> > I'll try to give as much information as possible. I am looking
> > for the Hobo way to fix this problem. I have attached an image
> > which shows what I am trying to do. Basically I have an ip address
> > model which I only want the admin to have access to. That includes
> > viewing. I don't want any other user to be even aware of the ip
> > address model! :)
> >
> > Here's the relevant code:
> >
> > 1. New index page defined in application.dryml
> >
> > <def tag="index-page" for="IpAddress">
> > <page merge title="Ip Addresses">
> > <body: class="index-page ip-address" param/>
> >
> > <content: param>
> > <header param="content-header">
> > <h2 param="heading">Ip Addresses</h2>
> >
> > <p param="count" if>There <count prefix="are"/></p>
> > </header>
> >
> > <section param="content-body">
> >
> > <a action="new" to="&model" param="new-link"/>
> >
> > <page-nav param="top-page-nav"/>
> >
> > <table-plus fields="this" >
> > <% puts "What is this: #[email protected]}" %>
> > </table-plus>
> >
> > <collection param />
> > <page-nav param="bottom-page-nav"/>
> >
> >
> > </section>
> > </content:>
> > </page>
> > </def>
> >
> > 2. IP Address model:
> >
> > class IpAddress < ActiveRecord::Base
> >
> > hobo_model # Don't put anything above this
> >
> > fields do
> > ip_address :string, :name => true
> > timestamps
> > end
> >
> > belongs_to :machine
> >
> > # --- Permissions --- #
> >
> > def create_permitted?
> > acting_user.administrator?
> > end
> >
> > def update_permitted?
> > acting_user.administrator?
> > end
> >
> > def destroy_permitted?
> > acting_user.administrator?
> > end
> >
> > def view_permitted?(field)
> > acting_user.administrator?
> > #true
> > end
> >
> > end
> >
> > Everything else is stock Hobo stuff. If you need anything else form
> > me let me know.
> >
> > Thanks,
> > Patrick
> >
> >
> >
> > On Thu, Nov 19, 2009 at 11:56 PM, Adam Grant <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > What does your controller/view code look like? Are you using the
> > hobo methods in your controller/view? Some code pasting would be
> > great!
> >
> > --
> > Adam Grant
> > Lead Web Engineer
> > Telaeris, Inc.
> > [email protected] <mailto:[email protected]>
> > (858) 627-9710
> >
> >
> > On Thu, Nov 19, 2009 at 3:43 PM, Patrick Fitzgerald
> > <[email protected] <mailto:[email protected]>> wrote:
> >
> > Hi all,
> > This is probably really simple but...
> >
> > I want to prevent a user from accessing a tab and anything
> > at all to do with a model. I have tried changing the code
> to:
> >
> > def view_permitted?(field)
> > acting_user.administrator?
> > end
> >
> > which didn't affect a normal user's ability to view the
> > page. I've also tried to force it using:
> >
> > def view_permitted?(field)
> > false
> > end
> >
> > Am I missing something obvious?!
> >
> > Thanks for all help!
> >
> > Patrick
> >
> > --
> >
> > You received this message because you are subscribed to the
> > Google Groups "Hobo Users" group.
> > To post to this group, send email to
> > [email protected] <mailto:
> [email protected]>.
> > To unsubscribe from this group, send email to
> >
> > [email protected]<hobousers%[email protected]>
> >
> > <mailto:hobousers%[email protected]<hobousers%[email protected]>
> >.
> > For more options, visit this group at
> > http://groups.google.com/group/hobousers?hl=.
> >
> >
> > --
> >
> > You received this message because you are subscribed to the
> > Google Groups "Hobo Users" group.
> > To post to this group, send email to [email protected]
> > <mailto:[email protected]>.
> > To unsubscribe from this group, send email to
> >
> > [email protected]<hobousers%[email protected]>
> >
> > <mailto:hobousers%[email protected]<hobousers%[email protected]>
> >.
> > For more options, visit this group at
> > http://groups.google.com/group/hobousers?hl=.
> >
> >
> >
> > --
> >
> > You received this message because you are subscribed to the Google
> > Groups "Hobo Users" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to
> > [email protected]<hobousers%[email protected]>
> .
> > For more options, visit this group at
> > http://groups.google.com/group/hobousers?hl=.
>
> --
>
> You received this message because you are subscribed to the Google Groups
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<hobousers%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/hobousers?hl=.
>
>
>
--
You received this message because you are subscribed to the Google Groups "Hobo
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/hobousers?hl=.
