David, thanks for your fast response
On Dec 29, 5:26 am, David Pollak <feeder.of.the.be...@gmail.com
> On Tue, Dec 28, 2010 at 5:26 PM, Kuba Neumann <kuba.neum...@gmail.com
> > Hi,
> > In our project the prototype phase has been finished. In some part of
> > our simple application the functionality offered by CRUDify is
> > sufficient. Because of this we consider to use CRUDify in production,
> > but there are some doubt (rather lack of knowledge) concerning
> > security and access control. This is the said part of our application.
> > User management is done by *ProtoUser. Users can have accounts (model
> > Account with CRUDify has the foreign key field "owner"). SiteMap
> > controls if the user is logged in. CRUDify lists only accounts owned
> > by the user and properly does other crud actions.
> > But nothing prevents other logged in users to edit (view, delete)
> > other user's accounts (simply by c&p crudify actions url).
> > So, how we can easily protect accounts in this situation (I mean using
> > CRUDify and *ProtoUser)? We considered AuthRole and
> > Http*Authentication but it's not obvious for us how to use it with
> > *ProtoUser.
> Just override Crufidy's findForList (only present the user with a list of
> records they are allowed to see) and findForParam (only return a Full if the
> user has the right to see the record).
This is what I did before. It works but doesn't prevent logged in
users to do CRUDify actions of other users.
Unfortunately all examples and previous topics I found test only if
the user is logged in. But with CRUDify it is insufficient.
> You can override the obscurePrimaryKey method to create session-specific
> primary keys such that the primary keys are not repeated except during the
> current session.
Ok, I didn't think about it. It could solve the problem.
> Does this help or do you need something more concrete?
Could you please give a few details how to obfuscate pk in a secure,
acceptable in production way?
I guess it could be difficult because we need an invertible (insecure)
> > Besides of our access problem, is it generally a good idea to use
> > CRUDify in production? Could you please share your experience and
> > thoughts?
> > Best regards
> > Kuba
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Lift" group.
> > To post to this group, send email to lif...@googlegroups.com
> > To unsubscribe from this group, send email to
> > liftweb+u...@googlegroups.com
> > .
> Beginning Scalahttp://www.apress.com/book/view/1430219890