Before Filters

White_Wizzard · January 22, 2008, 2:00pm

Hi all, I am having a slight problem with a before filter. I have a page that calls a before filter to create a set of methods to call my report generator based on if the person has permissions to the report. In development it seems to work fine, but in production I Only have access to one of the reports, It tells me that no action responded to the particular method being called. Being that I can get to the fist report, I know that it is working but failing on the second time through the loop.

code in the controller looks like this;

Frederick_Cheung · January 22, 2008, 4:08pm

Hi all, I am having a slight problem with a before filter. I have a page that calls a before filter to create a set of methods to call my report generator based on if the person has permissions to the report. In development it seems to work fine, but in production I Only have access to one of the reports, It tells me that no action responded to the particular method being called. Being that I can get to the fist report, I know that it is working but failing on the second time through the loop.

code in the controller looks like this;

######################################################################################## before_filter :create_report_methods

def create_report_methods Report.find_all.each do |r| HomeController.send :define_method, "report_#{r.id}" do redirect_to("http://onetruth:8080/birt/frameset? __report=#{r.name}.rptdesign") end unless ReportMembership.find(:first,:conditions => ["report_id = ? and memberable_type = 'TeamMember' and memberable_id = ?", r.id, TeamMember.get_team_member.id]).nil? and ReportMembership.find_by_sql(["select * from report_memberships as rm, team_members as tm, departments as d, department_memberships as dm where rm.memberable_type ='Department' and rm.memberable_id = d.id and d.id = dm.department_id and dm.team_member_id = tm.id and tm.id = ? and report_id = ?",TeamMember.get_team_member.id, r.id]).first.nil? end end

yuck.

########################################################################################### It works as expected in development, so my question is could another user be going to the site through mongrel and changing the methods I have? Any help is appreciated with this issue of mine. (I will post the log entries once I find them, I am working in production on a test system)

Quite possible. Another difference between development and production is that in development the classes are reloaded on each request. I have to wonder why you need a convoluted design like this, rather than have a single report action that generates the right thing base on the id parameter.

Fred

White_Wizzard · January 22, 2008, 5:50pm

The thought behind this is for security reasons, if the user has a report method that parameters are passed to, a person could easily get a hold of reports that he should not be able to see. If I query the database, like I am doing here, I still run the risk of someone getting to the report. If I use everything behind the scenes like I currently am and define a method to called each report based on if you have permissions on that report it seems a little more secure than passing a number to a report function. I also don't have to error check to see if the id is an integer and all the other fun stuff that goes along with that.

Anyways my boss liked it better this way. Also I noticed that I have permissions on all reports and I can only get to the first report, not the others that I have permission to. There is one other person that has permission has the same as I do. This is perplexing me a little bit.

White Wizzard

White_Wizzard · January 22, 2008, 5:52pm

BTW I do know that I need to refactor this code to prevent some CS attacks by taking and moving the finds into the models.. .

WW

Frederick_Cheung · January 22, 2008, 8:33pm

The thought behind this is for security reasons, if the user has a report method that parameters are passed to, a person could easily get a hold of reports that he should not be able to see. If I query the database, like I am doing here, I still run the risk of someone getting to the report. If I use everything behind the scenes like I currently am and define a method to called each report based on if you have permissions on that report it seems a little more secure than passing a number to a report function. I also don't have to error check to see if the id is an integer and all the other fun stuff that goes along with that.

You're adding no security, but you are adding rather a lot of
complexity (and of course once you've added the methods for one user
they'll be there for every user. Of course you won't notice that in
development because classes are reloaded, so that a hole waiting to
bite you)

If user has_many :reports (via some join model that models who has
been give access to what) then it's as easy as

report = @logged_in_user.find(params[:id]) if report report.run else #oops, you don't have access to that report end

Fred