declarative_authorization if_attribute 中对用户的多个条件

发布于 2024-11-03 20:52:28 字数 815 浏览 4 评论 0原文

我有 4 个不同级别的访问权限;管理员、合作伙伴、员工和客户。管理员、合作伙伴和员工对客户端拥有管理访问权限。基本上我所做的是创建一个 Rails 应用程序,客户可以将文档上传到他们的供应商(合作伙伴)。除了客户端级别的访问之外,一切都运行良好。我有两个代码;合作伙伴代码和客户端代码。合作伙伴只能查看文件的partercode 字段等于合作伙伴的合作伙伴代码的文件。这很好用。但是,客户端只能看到合作伙伴代码与客户端代码匹配的文件。下面是我的客户部分。有效的方法是只允许客户端查看partercode 文件,但设置它们可以查看属于合作伙伴的其他客户端。 (通过在 URL 中输入数字)。我怀疑这会成为一个问题,但这是一个我绝对希望关闭的安全漏洞。

  role :client do
    has_permission_on [:users], :to => [:client, :edit, :update] do
      if_attribute :username => is { user.username }
    end
     has_permission_on [:documents], :to => [:client, :new, :create]
     has_permission_on [:documents], :to => [:client, :index, :show, :edit, :update, :destroy, :documents] do
       if_attribute :partnercode => is { user.partnercode }, :clientcode => is { user.clientcode }
     end
  end

I have 4 different levels of access; admin, partner, employee and client. Admin, Partner, and Employee have administrative access over clients. Basically what I have done is created a Rails app where clients can upload documents to their vendor (partners). Everything works great except for the client level access. I have two codes; partercode and client code. Partners can only see files where the file's partercode field equals the partner's partner code. This works just fine. However, the client can only see files where the partnercode matches and the clientcode matches. Below is my client section. What is working is that the client IS only allowed to see the partercode files, but it is setting them see other clients that belong to the partner. (by typing in the number in the URL). I doubt this would ever be an issue, but it's a security hole that I would definitely want closed.

  role :client do
    has_permission_on [:users], :to => [:client, :edit, :update] do
      if_attribute :username => is { user.username }
    end
     has_permission_on [:documents], :to => [:client, :new, :create]
     has_permission_on [:documents], :to => [:client, :index, :show, :edit, :update, :destroy, :documents] do
       if_attribute :partnercode => is { user.partnercode }, :clientcode => is { user.clientcode }
     end
  end

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

丢了幸福的猪 2024-11-10 20:52:28

我不认为嵌套 if_attribute 语句实际上是这样工作的。默认情况下,Declarative_authorization 将这些 if_attribute 语句与 or 语句连接起来,但如果我理解正确的话,您希望它们与 and 连接。更改此设置的方法是将 :join_by 属性设置为 :and

role :client do
  has_permission_on [:documents], :to => [:do_whatever], :join_by => :and do
    if_attribute :partnercode => is { user.partnercode }
    if_attribute :clientcode => is { user.clientcode }
  end
end

来源:http://www.tzi。 org/~sbartsch/declarative_authorization/master/classes/Authorization/Reader/AuthorizationRulesReader.html#M000184

I don't think nesting the if_attribute statements actually works like that. Declarative_authorization by default joins these if_attribute statements with an or statement, but if I understand correctly you want them joined with and. The way to change this is to set the :join_by attribute to :and.

role :client do
  has_permission_on [:documents], :to => [:do_whatever], :join_by => :and do
    if_attribute :partnercode => is { user.partnercode }
    if_attribute :clientcode => is { user.clientcode }
  end
end

source: http://www.tzi.org/~sbartsch/declarative_authorization/master/classes/Authorization/Reader/AuthorizationRulesReader.html#M000184

千と千尋 2024-11-10 20:52:28

我找到了答案。具有讽刺意味的是,答案就在这个问题的标签中;嵌套的。

  role :client do
    has_permission_on [:users], :to => [:client, :edit, :update] do
      if_attribute :username => is { user.username }
    end
     has_permission_on [:documents], :to => [:client, :new, :create]
     has_permission_on [:documents], :to => [:client, :index, :show, :edit, :update, :destroy, :documents] do
       if_attribute :clientcode => is { user.clientcode } do
        if_attribute :partnercode => is { user.partnercode }
       end
     end
  end

一旦我验证客户端代码正确,然后创建另一个 do .. end 来检查合作伙伴代码。

I found the answer. The answer, ironically, was in the tags of this question; nested.

  role :client do
    has_permission_on [:users], :to => [:client, :edit, :update] do
      if_attribute :username => is { user.username }
    end
     has_permission_on [:documents], :to => [:client, :new, :create]
     has_permission_on [:documents], :to => [:client, :index, :show, :edit, :update, :destroy, :documents] do
       if_attribute :clientcode => is { user.clientcode } do
        if_attribute :partnercode => is { user.partnercode }
       end
     end
  end

Once I validate that the clientcode is correct then create another do .. end to check the partnercode.

酒儿 2024-11-10 20:52:28

:join_by 有效,但我的问题是有时您需要 ANDOR。您可以在一行上指定多个 if 条件作为不同的参数。这些将使用 AND 进行比较,而每行则使用 OR 进行评估。

role :client do
  has_permission_on [:documents], :to => [:do_whatever], :join_by => :and do
    if_attribute :partnercode => is { user.partnercode }, 
                 :clientcode => is { user.clientcode } # These two are evaluated with AND
    if_attribute :some_attr => is { some_val }
  end
end

:join_by works, but my issue with it is that sometimes you need both AND and OR. You can specify multiple if conditions, on a single line as different arguments. These will be compared together using AND whereas each line is evaluated with OR.

role :client do
  has_permission_on [:documents], :to => [:do_whatever], :join_by => :and do
    if_attribute :partnercode => is { user.partnercode }, 
                 :clientcode => is { user.clientcode } # These two are evaluated with AND
    if_attribute :some_attr => is { some_val }
  end
end
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文