declarative_authorization if_attribute 中对用户的多个条件
我有 4 个不同级别的访问权限;管理员、合作伙伴、员工和客户。管理员、合作伙伴和员工对客户端拥有管理访问权限。基本上我所做的是创建一个 Rails 应用程序,客户可以将文档上传到他们的供应商(合作伙伴)。除了客户端级别的访问之外,一切都运行良好。我有两个代码;合作伙伴代码和客户端代码。合作伙伴只能查看文件的partercode 字段等于合作伙伴的合作伙伴代码的文件。这很好用。但是,客户端只能看到合作伙伴代码与客户端代码匹配的文件。下面是我的客户部分。有效的方法是只允许客户端查看partercode 文件,但设置它们可以查看属于合作伙伴的其他客户端。 (通过在 URL 中输入数字)。我怀疑这会成为一个问题,但这是一个我绝对希望关闭的安全漏洞。
role :client do
has_permission_on [:users], :to => [:client, :edit, :update] do
if_attribute :username => is { user.username }
end
has_permission_on [:documents], :to => [:client, :new, :create]
has_permission_on [:documents], :to => [:client, :index, :show, :edit, :update, :destroy, :documents] do
if_attribute :partnercode => is { user.partnercode }, :clientcode => is { user.clientcode }
end
end
I have 4 different levels of access; admin, partner, employee and client. Admin, Partner, and Employee have administrative access over clients. Basically what I have done is created a Rails app where clients can upload documents to their vendor (partners). Everything works great except for the client level access. I have two codes; partercode and client code. Partners can only see files where the file's partercode field equals the partner's partner code. This works just fine. However, the client can only see files where the partnercode matches and the clientcode matches. Below is my client section. What is working is that the client IS only allowed to see the partercode files, but it is setting them see other clients that belong to the partner. (by typing in the number in the URL). I doubt this would ever be an issue, but it's a security hole that I would definitely want closed.
role :client do
has_permission_on [:users], :to => [:client, :edit, :update] do
if_attribute :username => is { user.username }
end
has_permission_on [:documents], :to => [:client, :new, :create]
has_permission_on [:documents], :to => [:client, :index, :show, :edit, :update, :destroy, :documents] do
if_attribute :partnercode => is { user.partnercode }, :clientcode => is { user.clientcode }
end
end
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我不认为嵌套 if_attribute 语句实际上是这样工作的。默认情况下,Declarative_authorization 将这些
if_attribute语句与or语句连接起来,但如果我理解正确的话,您希望它们与and连接。更改此设置的方法是将:join_by属性设置为:and。来源:http://www.tzi。 org/~sbartsch/declarative_authorization/master/classes/Authorization/Reader/AuthorizationRulesReader.html#M000184
I don't think nesting the
if_attributestatements actually works like that. Declarative_authorization by default joins theseif_attributestatements with anorstatement, but if I understand correctly you want them joined withand. The way to change this is to set the:join_byattribute to:and.source: http://www.tzi.org/~sbartsch/declarative_authorization/master/classes/Authorization/Reader/AuthorizationRulesReader.html#M000184
我找到了答案。具有讽刺意味的是,答案就在这个问题的标签中;嵌套的。
一旦我验证客户端代码正确,然后创建另一个 do .. end 来检查合作伙伴代码。
I found the answer. The answer, ironically, was in the tags of this question; nested.
Once I validate that the clientcode is correct then create another do .. end to check the partnercode.
:join_by有效,但我的问题是有时您需要AND和OR。您可以在一行上指定多个 if 条件作为不同的参数。这些将使用AND进行比较,而每行则使用OR进行评估。:join_byworks, but my issue with it is that sometimes you need bothANDandOR. You can specify multiple if conditions, on a single line as different arguments. These will be compared together usingANDwhereas each line is evaluated withOR.