-
Notifications
You must be signed in to change notification settings - Fork 330
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Model Consistency: Nesting Singular Model #438
Comments
I don't see how can we use update_authorized?(record = nil) controller method to do somehting like: Or to do this check: |
Hi @scambra I'm not sure to follow, you think it's not possible to do it? Thanks. |
No, I don't see how to do it This is controller method you want to use: def update_authorized?(record = nil) And these are calls on helpers: If I change them to use update_authorized, they are not the same check: update_authorized?(associated_for_authorized) update_authorized?(record) if link.crud_type == :create |
Ok so there is no real solution then. I guess at some point the security restriction applied in model and controller should be merged inside the different check in AS because today having both and using it differently introduce some inconstancies. Thanks for your time. |
maybe we can add some parameters to update_authorized?(record = nil), so we can pass them, but I'm worried with don't break anything |
Hello,
I'm working with lot of AS models and nested controller and with a layer of security on top of it. I'm not big fan of the model security layer as it spread models with AS code and like to keep it clear inside the controller.
Almost everything is fine doing only controller security but sadly the behavior of nested models when having a singular relationship is not very consistent, let me explain:
When you have a singular nested model, by default it tries to open the nested in the "edit" action, compared the the "index" one when it's a plural model. There is a security check based on the model security layer and if you don't have access to the authorized_for_update? this will fallback to "index".
Sadly if you only use "controller" security and use the "authorized_for_update?" inside the controller, this layer is not checked and then the action of the nested will still be "edit" which will after that throw an exception when you click on it because you in fact don't have the right security clearance.
I tried to find the trace in the AS code, and it seems everything is related to those two pieces of code:
And
Do you think it will be possible to check the controller security of the nested model to fallback to a different action based on the result of the check ?
Thanks,
Guillaume.
PS : It may be a corner case but it's seems weird that the security is handled differently depending if it's model or controller based.
The text was updated successfully, but these errors were encountered: