[Hobo Users] Permission question

12 views
Skip to first unread message

Patrick Fitzgerald

unread,
Nov 19, 2009, 6:43:57 PM11/19/09
to hobo...@googlegroups.com
Hi all,
   This is probably really simple but...

I want to prevent a user from accessing a tab and anything at all to do with a model.  I have tried changing the code to:

def view_permitted?(field)
acting_user.administrator?
end

which didn't affect a normal user's ability to view the page.  I've also tried to force it using:

def view_permitted?(field)
false
end

Am I missing something obvious?!

Thanks for all help!

Patrick

Adam Grant

unread,
Nov 19, 2009, 6:56:00 PM11/19/09
to hobo...@googlegroups.com
What does your controller/view code look like? Are you using the hobo methods in your controller/view? Some code pasting would be great!

--
Adam Grant
Lead Web Engineer
Telaeris, Inc.
adam....@telaeris.com
(858) 627-9710


--

You received this message because you are subscribed to the Google Groups "Hobo Users" group.
To post to this group, send email to hobo...@googlegroups.com.
To unsubscribe from this group, send email to hobousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/hobousers?hl=.

Patrick Fitzgerald

unread,
Nov 20, 2009, 6:35:50 AM11/20/09
to hobo...@googlegroups.com
Hi Adam/All,
   I'll try to give as much information as possible.  I am looking for the Hobo way to fix this problem.  I have attached an image which shows what I am trying to do.  Basically I have an ip address model which I only want the admin to have access to.  That includes viewing.  I don't want any other user to be even aware of the ip address model! :)

Here's the relevant code:

1. New index page defined in application.dryml

<def tag="index-page" for="IpAddress">
  <page merge title="Ip Addresses">
    <body: class="index-page ip-address" param/>
    
    <content: param>
      <header param="content-header">
        <h2 param="heading">Ip Addresses</h2>

        <p param="count" if>There <count prefix="are"/></p>
      </header>
      
      <section param="content-body">

        <a action="new" to="&model" param="new-link"/>      

        <page-nav param="top-page-nav"/>

<table-plus fields="this" >
<% puts "What is this: #{@this.class}" %>
</table-plus>

<collection param />
        <page-nav param="bottom-page-nav"/>


      </section>
    </content:>
  </page>
</def>

2. IP Address model:

class IpAddress < ActiveRecord::Base

hobo_model # Don't put anything above this

fields do
ip_address :string, :name => true
timestamps
end

belongs_to :machine

# --- Permissions --- #

def create_permitted?
acting_user.administrator?
end

def update_permitted?
acting_user.administrator?
end

def destroy_permitted?
acting_user.administrator?
end

def view_permitted?(field)
acting_user.administrator?
#true
end

end

Everything else is stock Hobo stuff.  If you need anything else form me let me know.

Thanks,
Patrick
hobo_question.JPG

Patrick Fitzgerald

unread,
Nov 20, 2009, 10:12:00 AM11/20/09
to hobo...@googlegroups.com
Hi All,

I manged to achieve what I wanted to. The way I did it was a mixture of Rails and Hobo.  First up I got hid the nav item from unprivileged users using the Rapid "if" tag like so:

1. Redefined the main-nav tag in application.dryml:

<def tag="main-nav">
<navigation class="main-nav" merge-attrs param="default">
<nav-item href="#{base_url}/">Home</nav-item>
<if test="&current_user.administrator?" >
<nav-item with="&IpAddress">IP Addresses</nav-item>
</if>
                <nav-item with="&Machine">Machines</nav-item>
</navigation>
</def>

This line will ensure only admin users can see the tab:
<if test="&current_user.administrator?" >

That's all well and good but if someone knows or guesses the URL then they can still gain read access to the data which isn't very secure.  For example: http://127.0.0.1:3000/ip_addresses would still show all of the IP Addresses.  

In order to get around that I created a before filter which I placed at the head of the IP Address controller.  This code checks the user level and redirects if someone is trying to be somewhere they shouldn't be.

2.  The code for the IP Address controller:

class IpAddressesController < ApplicationController
before_filter :check_user_level

def check_user_level
puts "\n\n\n!!!AUTHORIZING!!!\n\n\n"
puts "Is admin user?: #{current_user.administrator?}\n\n\n"
    
                # If the user doesn't have the required access send them on their way.
if !current_user.administrator?
flash[:notice] = "You don't have the required access to be here.  I cast thee out!"
redirect_to "/"
end
end

hobo_model_controller

auto_actions :all

end

This approach works a treat to solve the problem I described earlier in this thread.  I hope that this helps someone out in solving a similar problem.

The downside of this is that it doesn't user the Hobo permissions system at all.  I would really like to know the Hobo way to solve this problem and welcome any comments or suggestions.

Cheers,
Patrick

Bryan Larsen

unread,
Nov 20, 2009, 10:28:01 AM11/20/09
to hobo...@googlegroups.com
I know there's been a discussion about this somewhere, but I can't
remember where. Perhaps some of the older members of the group can
speak up.

The hobo permission system has attribute granularity, not model
granularity. So you can limit access to every attribute in the model,
but not to the model itself.

A couple of things will help, though:

1) remove the standard rails default routes from the bottom of your
config/routes.rb file. That'll remove a few inadvertant security holes.

2) Use the hobo admin subsite capability and move the ip address pages
into the admin controller. Documentation for which appears a couple of
days ago: http://cookbook.hobocentral.net/tutorials/subsite

An alternative to my #2 and your #2 is to wrap the IpAddress index.dryml
etc in something like

<if test="&current_user.administrator?">
<index-page>
....
</index-page>
</if>
<else>
Access Denied!
</else>

Not particularly more elegant than your #2, but an alternative.

Bryan


Patrick Fitzgerald wrote:
> Hi All,
>
> I manged to achieve what I wanted to. The way I did it was a mixture of
> Rails and Hobo. First up I got hid the nav item from unprivileged users
> using the Rapid *"if"* tag like so:
>
> 1. Redefined the main-nav tag in application.dryml:
>
> <def tag="main-nav">
> <navigation class="main-nav" merge-attrs param="default">
> <nav-item href="#{base_url}/">Home</nav-item>
> <if test="&current_user.administrator?" >
> <nav-item with="&IpAddress">IP Addresses</nav-item>
> </if>
> <nav-item with="&Machine">Machines</nav-item>
> </navigation>
> </def>
>
> This line will ensure only admin users can see the tab:
> <if test="&current_user.administrator?" >
>
> That's all well and good but if someone knows or guesses the URL then
> they can still gain read access to the data which isn't very secure.
> For example: http://127.0.0.1:3000/ip_addresses would still show all of
> the IP Addresses.
>
> In order to get around that I created a before filter which I placed at
> the head of the IP Address controller. This code checks the user level
> and redirects if someone is trying to be somewhere they shouldn't be.
>
> 2. The code for the IP Address controller:
>
> class IpAddressesController < ApplicationController
> * **before_filter** **:check_user_level*
> *
> *
> * **def check_user_level*
> * **puts "\n\n\n!!!AUTHORIZING!!!\n\n\n"*
> * **puts "Is admin user?: #{current_user.administrator?}\n\n\n"*
> * *
> * # If the user doesn't have the required access send
> them on their way.*
> * **if !current_user.administrator?*
> * **flash[:notice] = "You don't have the required access to be here. I
> cast thee out!"*
> * **redirect_to "/"** *
> * **end*
> * **end*
> adam....@telaeris.com <mailto:adam....@telaeris.com>
> (858) 627-9710
>
>
> On Thu, Nov 19, 2009 at 3:43 PM, Patrick Fitzgerald
> <miste...@gmail.com <mailto:miste...@gmail.com>> wrote:
>
> Hi all,
> This is probably really simple but...
>
> I want to prevent a user from accessing a tab and anything
> at all to do with a model. I have tried changing the code to:
>
> def view_permitted?(field)
> acting_user.administrator?
> end
>
> which didn't affect a normal user's ability to view the
> page. I've also tried to force it using:
>
> def view_permitted?(field)
> false
> end
>
> Am I missing something obvious?!
>
> Thanks for all help!
>
> Patrick
>
> --
>
> You received this message because you are subscribed to the
> Google Groups "Hobo Users" group.
> To post to this group, send email to
> hobo...@googlegroups.com <mailto:hobo...@googlegroups.com>.
> To unsubscribe from this group, send email to
> hobousers+...@googlegroups.com
> <mailto:hobousers%2Bunsu...@googlegroups.com>.
> For more options, visit this group at
> http://groups.google.com/group/hobousers?hl=.
>
>
> --
>
> You received this message because you are subscribed to the
> Google Groups "Hobo Users" group.
> To post to this group, send email to hobo...@googlegroups.com
> <mailto:hobo...@googlegroups.com>.
> To unsubscribe from this group, send email to
> hobousers+...@googlegroups.com
> <mailto:hobousers%2Bunsu...@googlegroups.com>.

Patrick Fitzgerald

unread,
Nov 20, 2009, 10:35:35 AM11/20/09
to hobo...@googlegroups.com
Hi Bryan,
    Thanks for the advice, I spotted the admin subsite stuff but haven't got around to trying it out yet!  

Cheers,
Patrick
Reply all
Reply to author
Forward
0 new messages