heimdallr 1.0.3 → 1.0.4

data/README.md

@@ -110,6 +110,15 @@ that means it will raise an exception for every insecure request. Calling `.impl
 of proxy object switched to another strategy. With that it will silently return nil for every attribute
 that is inaccessible.
 
+There are several options which alter Heimdallr's behavior in security-sensitive ways. They are described
+in [Heimdallr](http://rubydoc.info/gems/heimdallr/master/Heimdallr).
+
+Rails notes
+-----------
+
+As of Rails 3.2.3 attr_accessible is in whitelist mode by default. That makes no sense when using Heimdallr. To 
+turn it off set the `config.active_record.whitelist_attributes` value to false at yours `application.rb`.
+
 Typical cases
 -------------
 

data/heimdallr.gemspec

@@ -3,7 +3,7 @@ $:.push File.expand_path("../lib", __FILE__)
 
 Gem::Specification.new do |s|
   s.name        = "heimdallr"
-  s.version     = "1.0.3"
+  s.version     = "1.0.4"
   s.authors     = ["Peter Zotov", "Boris Staal"]
   s.email       = ["whitequark@whitequark.org", "boris@roundlake.ru"]
   s.homepage    = "http://github.com/roundlake/heimdallr"

data/lib/heimdallr.rb

@@ -25,9 +25,24 @@ module Heimdallr
     #
     # @return [Boolean]
     attr_accessor :allow_insecure_associations
+
+    # Allow unrestricted association fetching in case of eager loading.
+    #
+    # By default, associations are restricted with fetch scope either when
+    # they are accessed or when they are eagerly loaded (with #includes).
+    # Condition injection on eager loads are known to be quirky in some cases,
+    # particularly deeply nested polymorphic associations, and if the layout
+    # of your database guarantees that any data fetched through explicitly
+    # eagerly loaded associations will be safe to view (or if you restrict
+    # it manually), you can enable this setting to skip automatic condition
+    # injection.
+    #
+    # @return [Boolean]
+    attr_accessor :skip_eager_condition_injection
   end
 
   self.allow_insecure_associations = false
+  self.skip_eager_condition_injection = false
 
   # {PermissionError} is raised when a security policy prevents
   # a called operation from being executed.

data/lib/heimdallr/model.rb

@@ -35,7 +35,7 @@ module Heimdallr
         if block
           @restrictions = Evaluator.new(self, block)
         else
-          Proxy::Collection.new(context, restrictions(context).request_scope, options)
+          Proxy::Collection.new(context, restrictions(context).request_scope(:fetch, self), options)
         end
       end
 

data/lib/heimdallr/proxy/collection.rb

@@ -19,6 +19,7 @@ module Heimdallr
       @context, @scope, @options = context, scope, options
 
       @restrictions = @scope.restrictions(context)
+      @options[:eager_loaded] ||= {}
     end
 
     # Collections cannot be restricted with different context or options.
@@ -40,7 +41,7 @@ module Heimdallr
     def self.delegate_as_constructor(name, method)
       class_eval(<<-EOM, __FILE__, __LINE__)
       def #{name}(attributes={})
-        record = @restrictions.request_scope(:fetch).new.restrict(@context, @options)
+        record = @restrictions.request_scope(:fetch).new.restrict(@context, options_with_escape)
         record.#{method}(attributes.merge(@restrictions.fixtures[:create]))
         record
       end
@@ -53,7 +54,7 @@ module Heimdallr
     def self.delegate_as_scope(name)
       class_eval(<<-EOM, __FILE__, __LINE__)
       def #{name}(*args)
-        Proxy::Collection.new(@context, @scope.#{name}(*args), @options)
+        Proxy::Collection.new(@context, @scope.#{name}(*args), options_with_escape)
       end
       EOM
     end
@@ -75,7 +76,7 @@ module Heimdallr
     def self.delegate_as_record(name)
       class_eval(<<-EOM, __FILE__, __LINE__)
       def #{name}(*args)
-        @scope.#{name}(*args).restrict(@context, @options)
+        @scope.#{name}(*args).restrict(@context, options_with_eager_load)
       end
       EOM
     end
@@ -87,7 +88,7 @@ module Heimdallr
       class_eval(<<-EOM, __FILE__, __LINE__)
       def #{name}(*args)
         @scope.#{name}(*args).map do |element|
-          element.restrict(@context, @options)
+          element.restrict(@context, options_with_eager_load)
         end
       end
       EOM
@@ -113,9 +114,6 @@ module Heimdallr
     delegate_as_scope :uniq
     delegate_as_scope :where
     delegate_as_scope :joins
-    delegate_as_scope :includes
-    delegate_as_scope :eager_load
-    delegate_as_scope :preload
     delegate_as_scope :lock
     delegate_as_scope :limit
     delegate_as_scope :offset
@@ -154,6 +152,57 @@ module Heimdallr
     delegate_as_records :to_a
     delegate_as_records :to_ary
 
+    # A proxy for +includes+ which adds Heimdallr conditions for eager loaded
+    # associations.
+    def includes(*associations)
+      # Normalize association list to strict nested hash.
+      normalize = ->(list) {
+        if list.is_a? Array
+          list.map(&normalize).reduce(:merge)
+        elsif list.is_a? Symbol
+          { list => {} }
+        elsif list.is_a? Hash
+          hash = {}
+          list.each do |key, value|
+            hash[key] = normalize.(value)
+          end
+          hash
+        end
+      }
+      associations = normalize.(associations)
+
+      current_scope = @scope.includes(associations)
+
+      add_conditions = ->(associations, scope) {
+        associations.each do |association, nested|
+          reflection = scope.reflect_on_association(association)
+          if reflection && !reflection.options[:polymorphic]
+            associated_klass = reflection.klass
+
+            if associated_klass.respond_to? :restrict
+              nested_scope = associated_klass.restrictions(@context).request_scope(:fetch)
+
+              where_values = nested_scope.where_values
+              if where_values.any?
+                current_scope = current_scope.where(*where_values)
+              end
+
+              add_conditions.(nested, associated_klass)
+            end
+          end
+        end
+      }
+
+      unless Heimdallr.skip_eager_condition_injection
+        add_conditions.(associations, current_scope)
+      end
+
+      options = @options.merge(eager_loaded:
+        @options[:eager_loaded].merge(associations))
+
+      Proxy::Collection.new(@context, current_scope, options)
+    end
+
     # A proxy for +find+ which restricts the returned record or records.
     #
     # @return [Proxy::Record, Array<Proxy::Record>]
@@ -162,10 +211,10 @@ module Heimdallr
 
       if result.is_a? Enumerable
         result.map do |element|
-          element.restrict(@context, @options)
+          element.restrict(@context, options_with_eager_load)
         end
       else
-        result.restrict(@context, @options)
+        result.restrict(@context, options_with_eager_load)
       end
     end
 
@@ -175,7 +224,7 @@ module Heimdallr
     # @yieldparam [Proxy::Record] record
     def each
       @scope.each do |record|
-        yield record.restrict(@context, @options)
+        yield record.restrict(@context, options_with_eager_load)
       end
     end
 
@@ -183,12 +232,12 @@ module Heimdallr
     def method_missing(method, *args)
       if method =~ /^find_all_by/
         @scope.send(method, *args).map do |element|
-          element.restrict(@context, @options)
+          element.restrict(@context, options_with_escape)
         end
       elsif method =~ /^find_by/
-        @scope.send(method, *args).restrict(@context, @options)
+        @scope.send(method, *args).restrict(@context, options_with_escape)
       elsif @scope.heimdallr_scopes && @scope.heimdallr_scopes.include?(method)
-        Proxy::Collection.new(@context, @scope.send(method, *args), @options)
+        Proxy::Collection.new(@context, @scope.send(method, *args), options_with_escape)
       elsif @scope.respond_to? method
         raise InsecureOperationError,
             "Potentially insecure method #{method} was called"
@@ -232,5 +281,18 @@ module Heimdallr
     def creatable?
       @restrictions.can? :create
     end
+
+    private
+
+    # Return options hash to pass to children proxies.
+    # Currently this checks only eagerly loaded collections, which
+    # shouldn't be passed around blindly.
+    def options_with_escape
+      @options.reject { |k,v| k == :eager_loaded }
+    end
+
+    def options_with_eager_load
+      @options
+    end
   end
 end

data/lib/heimdallr/proxy/record.rb

@@ -16,9 +16,10 @@ module Heimdallr
     # @param object   proxified record
     # @option options [Boolean] implicit proxy type
     def initialize(context, record, options={})
-      @context, @record, @options = context, record, options
+      @context, @record, @options = context, record, options.dup
 
       @restrictions = @record.class.restrictions(context, record)
+      @eager_loaded = @options.delete(:eager_loaded) || {}
     end
 
     # @method decrement(field, by=1)
@@ -40,6 +41,18 @@ module Heimdallr
     # and thus is not considered as a potential security threat.
     delegate :touch, :to => :@record
 
+    # @method model_name
+    # @macro delegate
+    delegate :model_name, :to => :@record
+
+    # @method to_key
+    # @macro delegate
+    delegate :to_key, :to => :@record
+
+    # @method to_param
+    # @macro delegate
+    delegate :to_param, :to => :@record
+
     # A proxy for +attributes+ method which removes all attributes
     # without +:view+ permission.
     def attributes
@@ -176,7 +189,7 @@ module Heimdallr
         suffix = nil
       end
 
-      if (defined?(ActiveRecord) && @record.is_a?(ActiveRecord::Reflection) &&
+      if (@record.is_a?(ActiveRecord::Reflection) &&
           association = @record.class.reflect_on_association(method)) ||
          (!@record.class.heimdallr_relations.nil? &&
           @record.class.heimdallr_relations.include?(normalized_method))
@@ -185,7 +198,19 @@ module Heimdallr
         if referenced.nil?
           nil
         elsif referenced.respond_to? :restrict
-          referenced.restrict(@context, @options)
+          if @eager_loaded.include?(method)
+            options = @options.merge(eager_loaded: @eager_loaded[method])
+          else
+            options = @options
+          end
+
+          if association.collection? && @eager_loaded.include?(method)
+            # Don't re-restrict eagerly loaded collections to not
+            # discard preloaded data.
+            Proxy::Collection.new(@context, referenced, options)
+          else
+            referenced.restrict(@context, @options)
+          end
         elsif Heimdallr.allow_insecure_associations
           referenced
         else
@@ -263,6 +288,11 @@ module Heimdallr
       }.merge(@restrictions.reflection)
     end
 
+    def visible?
+      scope = @restrictions.request_scope(:fetch)
+      scope.where({ @record.class.primary_key => @record.to_key }).any?
+    end
+
     def creatable?
       @restrictions.can? :create
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: heimdallr
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.0.4
   prerelease: 
 platform: ruby
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-13 00:00:00.000000000 Z
+date: 2012-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &70171398246540 !ruby/object:Gem::Requirement
+  requirement: &70300668429320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,10 +22,10 @@ dependencies:
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *70171398246540
+  version_requirements: *70300668429320
 - !ruby/object:Gem::Dependency
   name: activemodel
-  requirement: &70171398246060 !ruby/object:Gem::Requirement
+  requirement: &70300668428840 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -33,10 +33,10 @@ dependencies:
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *70171398246060
+  version_requirements: *70300668428840
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70171398245680 !ruby/object:Gem::Requirement
+  requirement: &70300668428460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -44,10 +44,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70171398245680
+  version_requirements: *70300668428460
 - !ruby/object:Gem::Dependency
   name: activerecord
-  requirement: &70171398245220 !ruby/object:Gem::Requirement
+  requirement: &70300668428000 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -55,7 +55,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70171398245220
+  version_requirements: *70300668428000
 description: ! "Heimdallr aims to provide an easy to configure and efficient object-
   and field-level access\n control solution, reusing proven patterns from gems like
   CanCan and allowing one to manage permissions in a very\n fine-grained manner."