I know there's been a discussion about this somewhere, but I can't
remember where. Perhaps some of the older members of the group can
speak up.
The hobo permission system has attribute granularity, not model
granularity. So you can limit access to every attribute in the model,
but not to the model itself.
A couple of things will help, though:
1) remove the standard rails default routes from the bottom of your
config/routes.rb file. That'll remove a few inadvertant security holes.
2) Use the hobo admin subsite capability and move the ip address pages
into the admin controller. Documentation for which appears a couple of
days ago:
http://cookbook.hobocentral.net/tutorials/subsite
An alternative to my #2 and your #2 is to wrap the IpAddress index.dryml
etc in something like
<if test="¤t_user.administrator?">
<index-page>
....
</index-page>
</if>
<else>
Access Denied!
</else>
Not particularly more elegant than your #2, but an alternative.
Bryan
Patrick Fitzgerald wrote:
> Hi All,
>
> I manged to achieve what I wanted to. The way I did it was a mixture of
> Rails and Hobo. First up I got hid the nav item from unprivileged users
> using the Rapid *"if"* tag like so:
>
> 1. Redefined the main-nav tag in application.dryml:
>
> <def tag="main-nav">
> <navigation class="main-nav" merge-attrs param="default">
> <nav-item href="#{base_url}/">Home</nav-item>
> <if test="¤t_user.administrator?" >
> <nav-item with="&IpAddress">IP Addresses</nav-item>
> </if>
> <nav-item with="&Machine">Machines</nav-item>
> </navigation>
> </def>
>
> This line will ensure only admin users can see the tab:
> <if test="¤t_user.administrator?" >
>
> That's all well and good but if someone knows or guesses the URL then
> they can still gain read access to the data which isn't very secure.
> For example:
http://127.0.0.1:3000/ip_addresses would still show all of
> the IP Addresses.
>
> In order to get around that I created a before filter which I placed at
> the head of the IP Address controller. This code checks the user level
> and redirects if someone is trying to be somewhere they shouldn't be.
>
> 2. The code for the IP Address controller:
>
> class IpAddressesController < ApplicationController
> * **before_filter** **:check_user_level*
> *
> *
> * **def check_user_level*
> * **puts "\n\n\n!!!AUTHORIZING!!!\n\n\n"*
> * **puts "Is admin user?: #{current_user.administrator?}\n\n\n"*
> * *
> * # If the user doesn't have the required access send
> them on their way.*
> * **if !current_user.administrator?*
> * **flash[:notice] = "You don't have the required access to be here. I
> cast thee out!"*
> * **redirect_to "/"** *
> * **end*
> * **end*
>
adam....@telaeris.com <mailto:
adam....@telaeris.com>
>
(858) 627-9710
>
>
> On Thu, Nov 19, 2009 at 3:43 PM, Patrick Fitzgerald
> <
miste...@gmail.com <mailto:
miste...@gmail.com>> wrote:
>
> Hi all,
> This is probably really simple but...
>
> I want to prevent a user from accessing a tab and anything
> at all to do with a model. I have tried changing the code to:
>
> def view_permitted?(field)
> acting_user.administrator?
> end
>
> which didn't affect a normal user's ability to view the
> page. I've also tried to force it using:
>
> def view_permitted?(field)
> false
> end
>
> Am I missing something obvious?!
>
> Thanks for all help!
>
> Patrick
>
> --
>
> You received this message because you are subscribed to the
> Google Groups "Hobo Users" group.
> To post to this group, send email to
>
hobo...@googlegroups.com <mailto:
hobo...@googlegroups.com>.
> <mailto:
hobousers%2Bunsu...@googlegroups.com>.
> <mailto:
hobo...@googlegroups.com>.
> <mailto:
hobousers%2Bunsu...@googlegroups.com>.