nested_model_auth 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +17 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +84 -0
- data/Rakefile +1 -0
- data/lib/nested_model_auth.rb +85 -0
- data/lib/nested_model_auth/version.rb +3 -0
- data/nested_model_auth.gemspec +19 -0
- metadata +53 -0
data/.gitignore
ADDED
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (c) 2012 John Cant
|
2
|
+
|
3
|
+
MIT License
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,84 @@
|
|
1
|
+
# NestedModelAuth
|
2
|
+
|
3
|
+
nested\_model\_auth is a simple model based authentication nanoframework for use with ActiveRecord. All it does is provide convenient methods of determining whether a new or changed record should be allowed to be saved by a user. The goal is to provide a method which can be hooked into by <a href=https://github.com/ryanb/cancan>CanCan</a> to authorize saving of new or changed records to protect against mass assignment vulnerabilities. Please note that this gem does not depend on CanCan, and I don't presume to tell you how you _should_ use this gem, but only how to use it and how I intend to use it.
|
4
|
+
|
5
|
+
# Mass assignment vulnerbilities? Why not just use attr\_protected or attr\_accessible?
|
6
|
+
|
7
|
+
Imagine you have a collection of associated models which you want to mass assign. If you lock down some of the attributes using attr\_protected/attr\_accessible, then (1) You can't mass assign from the console and (2) The attributes are locked down for every user. It also seems weird to break such a powerful feature as mass assignment by having security built into it rather than called from the controller.
|
8
|
+
|
9
|
+
If, instead, you use CanCan or something, you can use this gem to determine which users should be allowed to create or save which records. Think of it like a type of validation except that it depends on who tries to save the model, and that it prevents hacking and doesn't need to report back the errors.
|
10
|
+
|
11
|
+
Called nested\_model\_auth because I plan on making it recursive amongst new records for nested mass assignment. The result of allow\_save\_by? is cached to prevent an infinite loop
|
12
|
+
|
13
|
+
All feedback welcome!
|
14
|
+
|
15
|
+
<pre>
|
16
|
+
# Bad example here, but I hope it gets the point across
|
17
|
+
|
18
|
+
class GroupMembership < ActiveRecord::Base
|
19
|
+
|
20
|
+
belongs\_to :group
|
21
|
+
belongs\_to :account
|
22
|
+
|
23
|
+
# Attributes are :group\_id, :account\_id, :role\_within\_group
|
24
|
+
|
25
|
+
allow\_save\_by do |account|
|
26
|
+
account_id == account.id
|
27
|
+
end
|
28
|
+
|
29
|
+
deny\_save\_by do |account|
|
30
|
+
unless account.site_admin?
|
31
|
+
group_id\_changed? if new_record? # This would prevent a hacker reassigning himself to a different group
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
end
|
36
|
+
|
37
|
+
# Elsewhere in your code
|
38
|
+
|
39
|
+
legit = Account.first.memberships.build(:role\_within\_group => "minion", :group\_id => @group.id)
|
40
|
+
legit.allow\_save\_by(Account.first) # true
|
41
|
+
legit.allow\_save\_by(Account.all[1]) # false
|
42
|
+
|
43
|
+
# User adds himself to a group and becomes admin
|
44
|
+
hack = @hacker.memberships.build(:role\_within\_group => "admin", :group\_id => Group.find\_by\_name("Nobody has heard of this one, and the hacker is the admin").id)
|
45
|
+
hack.allow_save_by(@hacker)
|
46
|
+
hack.save! # Worked. Legit so far...
|
47
|
+
|
48
|
+
# Hacker PUTs to the update controller method but with different data
|
49
|
+
hack.attributes={:role\_within\_group => "admin", :group\_id => Group.find\_by\_name("CIA - TOP SECRET! UNDER NO CIRCUMSTANCES SHOULD ANYONE BE ALLOWED ACCESS TO THIS GROUP")}
|
50
|
+
|
51
|
+
hack.allow\_save\_by(@hacker) # false - If we'd called this method from a CanCan rule, we would prevent the hack
|
52
|
+
hack.allow\_save\_by(Account.where(:is\_site\_admin => true).first) # true - If we were a site admin, we would be permitted to use mass assignment to change this record.
|
53
|
+
|
54
|
+
</pre>
|
55
|
+
|
56
|
+
## Installation
|
57
|
+
|
58
|
+
Add this line to your application's Gemfile:
|
59
|
+
|
60
|
+
gem 'nested_model_auth'
|
61
|
+
|
62
|
+
And then execute:
|
63
|
+
|
64
|
+
$ bundle
|
65
|
+
|
66
|
+
Or install it yourself as:
|
67
|
+
|
68
|
+
$ gem install nested_model_auth
|
69
|
+
|
70
|
+
## Usage
|
71
|
+
|
72
|
+
Please see above!
|
73
|
+
|
74
|
+
## Testing
|
75
|
+
|
76
|
+
Unfortunately there are no specs beyond those which I wrote in my proprietary web app. Because this gem is so simple, I didn't feel the need to write any specs. Feel free to contribute!
|
77
|
+
|
78
|
+
## Contributing
|
79
|
+
|
80
|
+
1. Fork it
|
81
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
82
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
83
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
84
|
+
5. Create new Pull Request
|
data/Rakefile
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
require "bundler/gem_tasks"
|
@@ -0,0 +1,85 @@
|
|
1
|
+
require "nested_model_auth/version"
|
2
|
+
|
3
|
+
module NestedModelAuth
|
4
|
+
|
5
|
+
class AuthorizationRule
|
6
|
+
|
7
|
+
attr_accessor :auth_action, :block
|
8
|
+
|
9
|
+
def initialize(auth_action, &block)
|
10
|
+
@auth_action = auth_action
|
11
|
+
@block = block
|
12
|
+
end
|
13
|
+
|
14
|
+
def invoke_for(model, resource)
|
15
|
+
model.instance_exec(resource, &@block)
|
16
|
+
end
|
17
|
+
|
18
|
+
end
|
19
|
+
|
20
|
+
module Base
|
21
|
+
def self.included(base)
|
22
|
+
base.class_eval do
|
23
|
+
extend ClassMethods
|
24
|
+
include InstanceMethods
|
25
|
+
|
26
|
+
cattr_accessor :authorization_rules
|
27
|
+
@@authorization_rules = {}
|
28
|
+
|
29
|
+
after_initialize do
|
30
|
+
@authorizations = {}
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
module InstanceMethods
|
36
|
+
|
37
|
+
def allow_save_by?(resource)
|
38
|
+
@authorizations[:save] ||= {}
|
39
|
+
@authorizations[:save][resource[resource.class.primary_key]] ||= run_authorization_rules(resource)
|
40
|
+
end
|
41
|
+
|
42
|
+
def run_authorization_rules(resource)
|
43
|
+
# To allow access, one :allow rule must return true, and NO deny rules must return true
|
44
|
+
allow_access = false
|
45
|
+
deny_access = false
|
46
|
+
self.class.authorization_rules[:save].each do |rule|
|
47
|
+
|
48
|
+
if rule.auth_action == :allow
|
49
|
+
allow_access ||= rule.invoke_for(self, resource)
|
50
|
+
end
|
51
|
+
|
52
|
+
if rule.auth_action == :deny
|
53
|
+
deny_access ||= rule.invoke_for(self, resource)
|
54
|
+
break if deny_access
|
55
|
+
end
|
56
|
+
|
57
|
+
end
|
58
|
+
|
59
|
+
if (allow_access && !deny_access)
|
60
|
+
true
|
61
|
+
else
|
62
|
+
false
|
63
|
+
end
|
64
|
+
|
65
|
+
end
|
66
|
+
|
67
|
+
end
|
68
|
+
|
69
|
+
module ClassMethods
|
70
|
+
|
71
|
+
def allow_save_by(&block)
|
72
|
+
self.authorization_rules[:save] ||= []
|
73
|
+
self.authorization_rules[:save] << AuthorizationRule.new(:allow, &block)
|
74
|
+
end
|
75
|
+
|
76
|
+
def deny_save_by(&block)
|
77
|
+
self.authorization_rules[:save] ||= []
|
78
|
+
self.authorization_rules[:save] << AuthorizationRule.new(:deny, &block)
|
79
|
+
end
|
80
|
+
|
81
|
+
end
|
82
|
+
end
|
83
|
+
end
|
84
|
+
|
85
|
+
ActiveRecord::Base.send :include, NestedModelAuth::Base
|
@@ -0,0 +1,19 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'nested_model_auth/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |gem|
|
7
|
+
gem.name = "nested_model_auth"
|
8
|
+
gem.version = NestedModelAuth::VERSION
|
9
|
+
gem.authors = ["John Cant"]
|
10
|
+
gem.email = ["a.johncant@gmail.com"]
|
11
|
+
gem.description = %q{model based authorization for new or edited records}
|
12
|
+
gem.summary = %q{Protect your mass assignment by explicit authorization}
|
13
|
+
gem.homepage = ""
|
14
|
+
|
15
|
+
gem.files = `git ls-files`.split($/)
|
16
|
+
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
17
|
+
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
18
|
+
gem.require_paths = ["lib"]
|
19
|
+
end
|
metadata
ADDED
@@ -0,0 +1,53 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: nested_model_auth
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.1
|
5
|
+
prerelease:
|
6
|
+
platform: ruby
|
7
|
+
authors:
|
8
|
+
- John Cant
|
9
|
+
autorequire:
|
10
|
+
bindir: bin
|
11
|
+
cert_chain: []
|
12
|
+
date: 2012-12-04 00:00:00.000000000 Z
|
13
|
+
dependencies: []
|
14
|
+
description: model based authorization for new or edited records
|
15
|
+
email:
|
16
|
+
- a.johncant@gmail.com
|
17
|
+
executables: []
|
18
|
+
extensions: []
|
19
|
+
extra_rdoc_files: []
|
20
|
+
files:
|
21
|
+
- .gitignore
|
22
|
+
- Gemfile
|
23
|
+
- LICENSE.txt
|
24
|
+
- README.md
|
25
|
+
- Rakefile
|
26
|
+
- lib/nested_model_auth.rb
|
27
|
+
- lib/nested_model_auth/version.rb
|
28
|
+
- nested_model_auth.gemspec
|
29
|
+
homepage: ''
|
30
|
+
licenses: []
|
31
|
+
post_install_message:
|
32
|
+
rdoc_options: []
|
33
|
+
require_paths:
|
34
|
+
- lib
|
35
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
36
|
+
none: false
|
37
|
+
requirements:
|
38
|
+
- - ! '>='
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
41
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
42
|
+
none: false
|
43
|
+
requirements:
|
44
|
+
- - ! '>='
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: '0'
|
47
|
+
requirements: []
|
48
|
+
rubyforge_project:
|
49
|
+
rubygems_version: 1.8.24
|
50
|
+
signing_key:
|
51
|
+
specification_version: 3
|
52
|
+
summary: Protect your mass assignment by explicit authorization
|
53
|
+
test_files: []
|