2

I would like to limit users only to view and edit data that are from their apartment. I have saved their apartment_id in session[:apartment_id]. So, I have CRUD, and I would like to limit users not to be able to do /data/ID/edit only to change ID and then to edit data. Is there a nice way to do this, lets say, through some scope or do I have to validate everything in my controller in every action. Thank you in advance. Dorijan

edit: this is more detailed: lets say there is a list of users when do /data and when you want to see specific data about some user with ID you would go to /data/ID example /data/27. In my database, for model data, I got row apartment_id, which tells in what apartment that user belongs.

Now, I want to limit view for some users based on their session data. For example, when user login, he got session[:apartment_id].

So, I want to be able to limit user not to be able to access for example /data/34 for user_id=34 which has apartment_id different from session[:apartment_id].

Also, when user access /data only to show users from his apparent.

I know I can do that in each controller, for every method to check this, but can I do this somewhere in model, to be general? thank you

Improve this question
3
  • Without knowing how your application is setup, if there's an association between users and their apartment, you could check that the apartment they're trying to edit belongs to their user? Commented Apr 19, 2012 at 1:15
  • What models and relationships do you have between users and apartments? Commented Apr 19, 2012 at 1:17
  • This railscast might help railscasts.com/episodes/1-caching-with-instance-variables Commented Apr 19, 2012 at 1:24

3 Answers 3

Reset to default
3

Adding Row-Level Security to your Rails app If you’re building a web application with a database, you may want more than one user, which means adding row-level security, and authentication.

Rails helps with a cool gem called Devise. Devise creates a User table and views to authenticate into the web app with a session, and then you can add authentication to each view to make sure you have a valid session to see that view.

That’s all fine and dandy but doesn’t solve my other problem, which is to restrict data in the database by user. So I chose to use the Devise User model, in particular the id field, and altered by other database tables to include the id field ( I called it user_id ). This all works when you then tweak the rest of the Rails app like the model calls to use the session user_id as part of each SQL query. Let me take a stab at explaining the basic steps, which have some detail, but you’ll need to improvise for your case.

The process in my eyes is divided into Devise-specific steps, and row-level security steps.

Devise Steps

Adding Devise to your Rails Project

    add devise gem to gem file

    gem ‘devise’

    bundle install



rails generate devise:install

( installs devise into rails app - be in the app directory root )

rails g devise:views

( Optional step: this copies views so we can customize and style )

rails generate devise User

( creates the user model )

bundle exec rake db:migrate

( creates the table - note you need privileges in the yml to change the database structure )

Remaining Devise-related Steps

Add a top div to application.html.erb checking if user is logged in or not, and showing login id or new user and login link

<div class=”top”>

<p class=”notice”><%= notice %></p>

<p class=”alert”><%= alert %></p>

<p>

<% if user_signed_in? %>

  Logged in as <strong><%= current_user.email %></strong>.

  <%= link_to ‘Edit profile’, edit_user_registration_path %> |

  <%= link_to “Logout”, destroy_user_session_path, method: :delete  %>

<% else %>

  <%= link_to “Sign up”, new_user_registration_path  %> |

  <%= link_to “Login”, new_user_session_path %>

<% end %>

</div>

created a ‘guest’ controller and view to show when not logged in - also updated routes.rb to make this the root - i.e., the first time someone goes to your site, you should take them to the guest controller, not the data! You don’t have a session yet.

updated guest/root controller, in particular, index action to go to logged in controller if user is logged in 

  if user_signed_in?

    redirect_to :controller=>’home’, :action=> ‘index’

  end

In every other data/loggedin controller, add the following to the top of the controller before the actions: This will ensure no one can use the URL paths to land on a page without being authenticated.

before_filter :authenticate_user!

Row-level steps

Alter the tables where you want Row-level security “RLS” with user_id column.

mysql> ALTER TABLE mytable ADD COLUMN user_id VARCHAR(255) AFTER id;

Update the tables with a valid user_id from users table ( this assumes you already created a user with the register form. Or just use 1, since it appears Devise starts the first user id at 1 )

mysql> UPDATE mytable SET user_id = ( SELECT id FROM users WHERE email = ‘[email protected]’ );

Handle adding of user_id to table inserts

In data/loggedin controller CREATE action, update the user_id field in the parameter object. 

def create

params[:mytable][:user_id] = current_user.id

…

end

Handle selects / queries by passing user_id as a parameter

In a data/loggedin model, pass user_id into a new my query scope and then combine that new scope with other scopes ( making sure to pass user_id into the other scopes; there’s other ways to do this, but I love scopes ):

scope :my, -> (user_id) { where(“user_id = ?”, user_id) }

scope :mylovelyquery, -> (user_id) { my(user_id).where(:mylovelyselectioncriteria=>”A”).order(“mysortfield”)  }

In the data/logged controllers, change index action to get current_user.id and pass it to the ActiveRecord scopes you created. This step is tedidious and could be done often - look for any controller indexes or any controller action doing a SELET - that need RLS! This applies to Ajax calls too.

def index

@user_id = current_user.id

@mytables = Mytable.my(@user_id).order(mylovelysortfield DESC”)

end

Lessons Learned

Probably the one thing that hung me up the most was forgetting to get the current_user.id, before doing any retrieving the database.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

If your user has_many apartments, then generally you can do this in your controller:

def edit
  current_user.apartments.find(params[:id])
end

This will only find apartments that belong to the current user.

UPDATE

looks like you don't have a current_user object... so:

def edit 
  @apartment = Apartment.find(params[:id])
  redirect_to root_path, error: "You do not have access for this apartment"
end
Improve this answer

1 Comment

thank you for your answer, but I mean something else. I got like this: @client = Client.find(params[:id]), but I want to limit edit of this data if Client.apartment_id!=session[:apartment_id]
0

You can use a before_filter on any actions you want to limit in your controller. Here's some reading on the subject: http://guides.rubyonrails.org/action_controller_overview.html#filters

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.