inossidabile / heimdallr Goto Github PK

This thread has started at #19

To ease usage of AR extensions we could add the method that "insecurely taps" current model relation with custom calls preserving security context. In fact we need an effective shortcut to this:

restricted_relation.insecure.other_relation('foo').restrict(context)

Possible notations:

restricted_relation.insecurely{|r| r.other_relation('foo')}
restricted_relation.insecurely(:other_relation, 'foo')

Are there any additional checks we should run between insecure and restrict calls? Like checking if we still have the same class/record or anything...

@whitequark @AlexanderPavlenko I'd like to hear from you.

Gem is not compatible with ruby 1.8 due to 1.9 syntax sugar (lambda, json-style for hashes).

Hi and thanks for the module!

Is it possible to restrict nested models which being updated using accepts_nested_attributes_for ? Restriction in the nested model itself seems to not working.

For example, I have Company class which can accept attributes of associated Beneficiary model (this is just copy-paste of subset of the module; I tried to remove all unnecessary fields and logic from there to simplify it as possible, so here may exist typos etc.):

class Company < ActiveRecord::Base
include Heimdallr::Model

attr_accessible :name, :beneficiaries_attributes

has_many :beneficiaries
accepts_nested_attributes_for :beneficiaries, :allow_destroy => true

restrict do |user, record|
scope :fetch
can [:view, :create, :update]
cannot :view, [:beneficiaries_attributes]
cannot :update, [:beneficiaries_attributes]
end
end

Also I have Beneficiary class itself with protected attributes (i.e. name):

class Beneficiary < ActiveRecord::Base
include Heimdallr::Model

attr_accessible :name, :comments
belongs_to :company

restrict do |user, record|
scope :fetch
can [:view, :create, :update]
cannot :view, [:name, :comments]
cannot :edit, [:name, :comments]
end
end

Also I have a view which deals with company beneficiaries.

And I found no way to restrict such updating. Restrictions in the nested model (Beneficiary) are ignored, and restrictions in the Company model (for beneficiaries_attributes) seems to not working.

I can make these attributes not shown in the view, but I can't prevent them from updating it the case when proper parameter hash was somehow created.

Is is correct that Heimdallr currently can't deal with this, or I just missed something?

I tried to use Heimdallr with Mongoid. Scoping seems to work well, but operations on the record level presumes ActiveRecord. How much effort, what it would need to add support for mongoid?

DEPRECATION WARNING: The InstanceMethods module inside ActiveSupport::Concern will be no longer included automatically. Please define instance methods directly in %module_name% instead.

Since for most cases we do not require level A security it would be handy to have availability to lower Heimdallr paranoia about managing associations.

We could have something like: config.heimdallr.allow_unrestricted_associations = true

which is true by default. If it's false Heimdallr should check associations and throw exception if you try to get something unrestricted from a restricted scope. Or it shouldn't otherwise.

Hi!

What is the proper way to implement pagination on collection protected by Heimdallr?

Using will_paginate and trying to do:
@companies = Company.restrict(current_user).paginate(:page => @page)

I'm getting:
Heimdallr::InsecureOperationError in CompaniesController#index
Potentially insecure method paginate was called

I can deal with it using:
@records = Company.restrict(current_user).all
@companies = WillPaginate::Collection.create(@page, @per_page, @records.size) do |pager|
pager.replace(@records)
end

But I suppose this is not as efficient as it could be.

How do you deal with it?

Guys,

Thanks for this awesome gem! However I have the following issue:

Showing app/views/accounts/index.html.erb where line #15 raised:

undefined method `model_name' for Heimdallr::Proxy::Record:Class
Extracted source (around line #15):

12:   <tr>
13:     <td><%= account.id %></td>
14:     <td><%= account.name %></td>
15:     <td><%= link_to 'Show', account %></td>
16:     <td><%= link_to 'Edit', edit_account_path(account) %></td>
17:   </tr>
18: <% end %>

rails -v: Rails 3.1.3

Hello and thanks for great gem.

I'm using MetaSearch and want to restrict regular users in their searches. So I have a block for restrictions:

    restrict do |user, record|
      scope :fetch
      scope :search

      can :view
    end

When I call this line, I get:

Model.restrict(current_user).search(params[:search]) 
#=> RuntimeError: There is no such scope as search

My investigation brought me to this line: https://github.com/roundlake/heimdallr/blob/master/lib/heimdallr/evaluator.rb#L51

So I can't find out, how to allow user to call search.

Heimdallr::PermissionError: Attempt to fetch non-whitelisted attribute build_bla_bla_association

Full trace:

krasnoukhov:smmify krasnoukhov$ rails c
/Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/activesupport-3.2.0/lib/active_support/dependencies.rb:251:in require': no such file to load -- heimdallr/resource (LoadError) from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/activesupport-3.2.0/lib/active_support/dependencies.rb:251:inblock in require'
from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/activesupport-3.2.0/lib/active_support/dependencies.rb:236:in load_dependency' from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/activesupport-3.2.0/lib/active_support/dependencies.rb:251:inrequire'
from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/bundler/gems/heimdallr-9525f62cafe3/lib/heimdallr.rb:48:in <top (required)>' from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/bundler-1.0.21/lib/bundler/runtime.rb:68:inrequire'
from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/bundler-1.0.21/lib/bundler/runtime.rb:68:in block (2 levels) in require' from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/bundler-1.0.21/lib/bundler/runtime.rb:66:ineach'
from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/bundler-1.0.21/lib/bundler/runtime.rb:66:in block in require' from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/bundler-1.0.21/lib/bundler/runtime.rb:55:ineach'
from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/bundler-1.0.21/lib/bundler/runtime.rb:55:in require' from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/bundler-1.0.21/lib/bundler.rb:122:inrequire'
from /Users/krasnoukhov/Sites/Freelance/Smmify/smmify/config/application.rb:7:in <top (required)>' from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/railties-3.2.0/lib/rails/commands.rb:39:inrequire'
from /Users/krasnoukhov/.rvm/gems/ruby-1.9.2-p290/gems/railties-3.2.0/lib/rails/commands.rb:39:in <top (required)>' from script/rails:6:inrequire'
from script/rails:6:in `

Is there mistake in dependencies?
My project is running Rails 3.2 and i've installed heimdallr from git.

please note in readme that Article should have default secrecy_level 0

otherwise

# If only a single value is possible, it is inferred automatically:
secure.create! content: "My second article"
# => Article(id: 4, owner: johndoe, content: "My second article", security_level: 0)

throws

/Users/xxx/.rvm/gems/ruby-1.9.3-p286@heimdallr_testing/gems/activerecord-3.2.8/lib/active_record/validations.rb:56:in `save!': Validation failed: Secrecy level is not included in the list (ActiveRecord::RecordInvalid)
    from /Users/xxx/.rvm/gems/ruby-1.9.3-p286@heimdallr_testing/gems/activerecord-3.2.8/lib/active_record/attribute_methods/dirty.rb:33:in `save!'

Hello! I'm trying to rewrite my application from CanCan to Heimdallr.
I use the Ancestry gem (https://github.com/stefankroes/ancestry) in a User model. Users has a tree-like structure.
In CanCan I have:

node = User.accessible_by(current_ability).roots.arrange(:order => :created_at)

For Heimdallr I'm rewrited this line to:

node = User.restrict(current_user).roots.arrange(:order => :created_at)

... and got an exception:

Heimdallr::InsecureOperationError (Potentially insecure method arrange was called)

Is there any way to disable this potentially insecure method check? Or another suggestion.
Thanks in advance!

not sure if this applies to heimdallr policies from readme, you can use the code if it applies

https://github.com/rilian/heimdallr/commit/413d29bee97773f7a21cb478646399b279dad7c8

# @method becomes
# @macro delegate
delegate :becomes, :to => :@record

Consider the following class:

class Post < ActiveRecord::Base
  include Heimdallr::Model
  restrict do |user, record|
    scope :fetch
    scope :delete
    can [:view, :create, :update]
  end
  def slug
    title.parameterize
  end
end

Even though everything is whitelisted, calling post.restrict(user).slug raises a permission error because it is not an actual attribute and will not be automatically picked up by can.

The current workaround is to use:

  restrict do |user, record|
    scope :fetch
    scope :delete
    can [:view, :create, :update]
    can :view, [:slug]
  end

But this becomes unwieldy for most models.

Does it make sense to refactor the proxy to authorize on read_attribute and write_attribute?

I am trying to port over some security logic from CanCan. I am hitting a lot of complexity around disjunctions. E.g. some rules look like:

can :manage, User, :id => user.id
can :read, User, :developer => { :matches => { :project_listing => { :employer => { :user_id => user.id } } } }
can :read, User, :employer => { :project_listings => { :matches => { :team => { :developers => { :user_id => user.id } } } } }
can :read, User, :developer => { :teams => { :developers => { :user_id => user.id } } }
can :read, User, :admin => true

This becomes extremely unwieldy to combine all of the read permissions into a single fetch scope. The workaround is to just use the default unrestricted fetch scope and just set the can :view permissions in code, but this seems slightly messy.

Any suggestions as to go about this?

At resource.rb:7 : in `resource_for'

Example:
(:quick_link).to_s.capitalize
=> "Quick_link"

This will not pass #constantize

I'm trying to use active_model_serializers, however it fails as misses active_model_serializer method.. and perhaps others as well.

As I see there are several methods delegated to the record. For active_record_serializers this would need to be extended or maybe possible to customize.

Probably heimdallr would be used in "implicit mode" with the serializers. Here I miss that restricted collections haven't implicit call. So Model.restrict(context).first would return an instance which is view/serializing friendly, not failing on unrestricted access.

I know this is a probably a bit fuzzy "issue report", rather a question or an intention to find a way how to make model serializing working with heimdallr.