Security?
35 views
Skip to first unread message
JB
Oct 16, 2011, 6:09:41 PM10/16/11
to ActiveScaffold : Ruby on Rails plugin
Does anyone have any experience with using ActiveScaffold security?
I'm just doing a test to see how to get things working, without
success.
I've defined this in my ApplicationController:
ActiveScaffold.set_defaults do |config|
config.security.current_user_method = :current_user
config.security.default_permission = false
end
And this in my model's controller:
def create_authorized?
true
end
def show_authorized?(record)
true
end
def list_authorized?
true
end
def update_authorized?(record)
true
end
def delete_authorized?(record)
true
end
And this on my model:
def self.authorized_for_create?
true
end
def authorized_for_read?
true
end
def authorized_for_update?
true
end
def authorized_for_delete?
true
end
When I go to the index page for my model, I get a table, but none of
the columns show up. For each record I see an Edit, Delete, and Show
button. I also see the Create New link at the top of the table. When I
click the Create New button, I get a blank form. And the Edit, Delete,
and Show buttons all fail with the following:
17:05:41 web.1 | ArgumentError (wrong number of arguments (0 for
1)):
17:05:41 web.1 | app/controllers/sub_contractors_controller.rb:
15:in `show_authorized?'
Any suggestions on where to go from here?
I'm just doing a test to see how to get things working, without
success.
I've defined this in my ApplicationController:
ActiveScaffold.set_defaults do |config|
config.security.current_user_method = :current_user
config.security.default_permission = false
end
And this in my model's controller:
def create_authorized?
true
end
def show_authorized?(record)
true
end
def list_authorized?
true
end
def update_authorized?(record)
true
end
def delete_authorized?(record)
true
end
And this on my model:
def self.authorized_for_create?
true
end
def authorized_for_read?
true
end
def authorized_for_update?
true
end
def authorized_for_delete?
true
end
When I go to the index page for my model, I get a table, but none of
the columns show up. For each record I see an Edit, Delete, and Show
button. I also see the Create New link at the top of the table. When I
click the Create New button, I get a blank form. And the Edit, Delete,
and Show buttons all fail with the following:
17:05:41 web.1 | ArgumentError (wrong number of arguments (0 for
1)):
17:05:41 web.1 | app/controllers/sub_contractors_controller.rb:
15:in `show_authorized?'
Any suggestions on where to go from here?
Nick Rogers
Oct 16, 2011, 7:30:23 PM10/16/11
to actives...@googlegroups.com
I believe the argument in the *_authorized? methods in the controller needs to have a default, because in some places within active_scaffold they are called without an argument.
For example:
def update_authorized?(record = nil)
current_user.update_allowed?
end
--
You received this message because you are subscribed to the Google Groups "ActiveScaffold : Ruby on Rails plugin" group.
To post to this group, send email to actives...@googlegroups.com.
To unsubscribe from this group, send email to activescaffol...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/activescaffold?hl=en.
JB
Oct 16, 2011, 8:37:15 PM10/16/11
to ActiveScaffold : Ruby on Rails plugin
Thanks, that solved the problem with the Edit, Delete, and Show
buttons. But the index view doesn't show any of the record's columns.
You get a table that just shows the Edit, Delete, and Show buttons,
but nothing else. And when you click the Create New button, the create
form opens, but it doesn't have any fields.
On Oct 16, 6:30 pm, Nick Rogers <ncrog...@gmail.com> wrote:
> I believe the argument in the *_authorized? methods in the controller needs
> to have a default, because in some places within active_scaffold they are
> called without an argument.
>
> For example:
>
> def update_authorized?(record = nil)
> current_user.update_allowed?
> end
>
buttons. But the index view doesn't show any of the record's columns.
You get a table that just shows the Edit, Delete, and Show buttons,
but nothing else. And when you click the Create New button, the create
form opens, but it doesn't have any fields.
On Oct 16, 6:30 pm, Nick Rogers <ncrog...@gmail.com> wrote:
> I believe the argument in the *_authorized? methods in the controller needs
> to have a default, because in some places within active_scaffold they are
> called without an argument.
>
> For example:
>
> def update_authorized?(record = nil)
> current_user.update_allowed?
> end
>
Nick Rogers
Oct 17, 2011, 8:37:40 AM10/17/11
to actives...@googlegroups.com
Have you tried removing the "config.security.default_permission = false" line. Does that change things?
Could you paste a copy of your scaffold controller?
JB
Oct 17, 2011, 9:46:09 AM10/17/11
to ActiveScaffold : Ruby on Rails plugin
Genius! Removing the "config.security.default_permission = false" line
solved it.
I'm actually using declarative_authorization. When I have some time
later today or this week, I'll add a page to the wiki explaining how
I'm doing it.
solved it.
I'm actually using declarative_authorization. When I have some time
later today or this week, I'll add a page to the wiki explaining how
I'm doing it.
clyfe
Oct 17, 2011, 10:40:29 AM10/17/11
to actives...@googlegroups.com
The way I do security is to combo with CanCan
ActiveScaffold.set_defaults do |config|
# config.security.current_user_method = :current_user # this is the default case, no need to be explicit
config.security.default_permission = false # deny all by default, don't leak
end
# config.security.current_user_method = :current_user # this is the default case, no need to be explicit
config.security.default_permission = false # deny all by default, don't leak
end
add CanCan to gemfile and write your ACL rules. Done.
Docs for cancan bridge here: https://github.com/vhochstein/active_scaffold/wiki/CanCan-bridge
Nick Rogers
Oct 17, 2011, 10:43:36 AM10/17/11
to actives...@googlegroups.com
I don't have any experience with the default_permission parameter. My guess is you are missing some method override that tells active_scaffold it is allowed to show the list view. However I would think this would be the "list" action, which you already have.
I have good luck using an implicit "default_permission" of true and the following methods in my controllers.
def list_authorized?(record = nil)
current_admin.read_system?
end
def show_authorized?(record = nil)
current_admin.read_system?
end
def create_authorized?(record = nil)
current_admin.write_system?
end
def update_authorized?(record = nil)
current_admin.write_system?
end
def delete_authorized?(record = nil)
current_admin.write_system?
end
def search_authorized?(record = nil)
current_admin.read_system?
end
def export_authorized?(record = nil)
current_admin.read_system?
end
JB
Oct 17, 2011, 11:09:49 AM10/17/11
to ActiveScaffold : Ruby on Rails plugin
I wrote up a quick wiki page on what I did to get things working with
declarative_authorization:
https://github.com/activescaffold/active_scaffold/wiki/Security:-declarative-authorization
declarative_authorization:
https://github.com/activescaffold/active_scaffold/wiki/Security:-declarative-authorization
JB
Oct 17, 2011, 1:14:21 PM10/17/11
to ActiveScaffold : Ruby on Rails plugin
I learn something new every day. I didn't realize ActiveScaffold
worked out of the box with CanCan. It's probably not too late for me
to give it a try instead of declarative_authorization.
worked out of the box with CanCan. It's probably not too late for me
to give it a try instead of declarative_authorization.
Atastor
Mar 20, 2012, 6:27:36 PM3/20/12
to actives...@googlegroups.com
Hmmm..but nobody actually found out, which method override was missing in JBs original settings???
I set out to finally get the security.default_permission=false running...but running into the same wall.
Isn't there anybody out there who got the default_permissions=false functioning?
Regards
Michael
Reply all
Reply to author
Forward
0 new messages