#207 ✓resolved
Marko Seppä

Newsletters backend controllers should guard permissions

Reported by Marko Seppä | January 22nd, 2009 @ 10:06 AM | in Release 0.1.1

Following controllers should guard permissions:


admin::deleted_issues_controller admin::newsletters_controller admin::issues_controller admin::newsletter_subscription_controller


Comments and changes to this ticket

  • Marko Seppä

    Marko Seppä January 22nd, 2009 @ 10:08 AM

    Formatting sucked, here it is as more easier readable:

    • admin::deleted_issues_controller
    • admin::newsletters_controller
    • admin::issues_controller
    • admin::newsletter_subscription_controller
  • Priit Tamboom

    Priit Tamboom January 22nd, 2009 @ 11:50 AM

    Thanks for opening the ticket.

    I'll check all controller actions wheater user is site admin or superuser and other users cannot have access.

    Correct me if permissons should be different.

  • Priit Tamboom

    Priit Tamboom January 26th, 2009 @ 08:22 AM

    • State changed from “new” to “open”
  • Priit Tamboom

    Priit Tamboom February 16th, 2009 @ 04:32 PM

    I have been studying adva roles/context code in order to use guard permissions. The big picture is a bit fuzzy to me (any intro docs about it?).

    To add context to newsletter I should:

    
    #add to newsletter.rb
    acts_as_role_context :actions => ["manage newsletters"]
    
    #add to newsletter_controller.rb
    private
      def current_resource
        @site
      end
    end
    

    I get could not find role for show newsletter (on: #<Rbac::Context::Base:0xb5e5bbd0 @subject=Rbac::Context>).

    Any hints?

    I need short high level overview perhaps. So as long I understand, I can put every model to use context with name defined by :action (this case "manage newsletter"). Probably I should use before filter in controller what role in what context can access etc. Am I right?

  • Sven Fuchs

    Sven Fuchs February 16th, 2009 @ 08:16 PM

    Not quite sure I get what you mean :)

    It's correct that adva_rbac is one of the rather obscure engines. And it likely will change in the future. But the newsletter controller of course still should guard access.

    The context here is the context a role has. E.g. you're the :admin in the context of a Site. Or you could be the :moderator in the :context of a Forum. As contexts can inherit: if you're the :admin in the context of a Site you're also the :admin in the context of the Site's child-contexts, like all Sections, all Contents belonging to these Sections etc.

    Roles can be granted dynamically (currently there's no UI for that though), you'll just get the :superuser role when you install adva-cms. Permissions can be mapped to Roles. I.e. you can define that only :admins can create/edit/delete Themes. Or you could define that :moderators can do that. "create newsletter" is an example of a permission that could be mapped to a certain Role.

    So for a given action the system would look up what Role you have for the current context and match that against the permission that has been set as required for this action.

    You can find the defauts for permission/role mappings somewhere in adva_cms/lib/roles.rb (which is a rather stupid location because it's config stuff but right now it's there).

    Maybe the easiest setup would be to have something like this in the newsletter controller:

    guards_permissions :newsletter

    And then define the permissions in adva_cms/lib/roles.rb accordingly.

    When you look at the ThemesController in adva_themes you can find an example of another concept that we have, which iirc is called "virtual actions". This basically means that adva_rbac doesn't just use controller actions but internally maps them to "virtual actions". E.g. by default accessing the :new and :create actions on any controller would be mapped to a common "create [resource_name]" action.

    In the ThemesController you can see that you are free to map actual controller actions to virtual actions in any way you want. E.g. both the :select and :unselect controller actions are mapped to the virtual "update theme" action (which then in the roles.rb file is used to define permissions)

    HTH :)

  • Priit Tamboom

    Priit Tamboom February 17th, 2009 @ 12:45 PM

    Thanks, it makes more sense now. However, I have to investigate more about testing it, cos it_guards_permission does not raise any errors currently for me.

    However, what about model acts_as_role_context, should I just use Site context for Newsletter?

    
    acts_as_role_context :parent => Site
    

    last commit: http://github.com/svenfuchs/adva...

  • Priit Tamboom

    Priit Tamboom March 10th, 2009 @ 09:24 AM

    • State changed from “open” to “resolved”
  • Aneesa Ho

    Aneesa Ho November 16th, 2020 @ 01:13 PM

    There are some technical errors that are to be corrected. This will lead to the better solution and output of this code. This was an interesting thing to solve and students can check assignment help uk to manage their work. This blog has been very good for providing the good stuff.

  • lillycolleman

    lillycolleman December 7th, 2021 @ 10:51 AM

    I wish I had found your post earlier when I had to Social media marketing dissertation help UK. At that time, I did not know that a student can actually outsource his assignments. But thankfully, I learned about Health and social care dissertation help UK at the right time. I was finding it tough to Secondary Data Collection Help UK- style and luckily my friend suggested me a website where I could order one online. This is how I got introduced to academic help.

  • Aaronnock

    Aaronnock July 22nd, 2022 @ 12:41 PM

    Although this code might answer the query, it would be preferable to provide additional information about best dissertation writing services uk why/how it operates. The knowledge gained from this can then be applied to the code of other users in the future. When the code is explained, you are also likely to receive nice comments and upvotes from users.

  • MichelJohn

    MichelJohn September 7th, 2022 @ 07:47 PM

    YellowstoneJacketsco is specifically selling all the jackets, vests, and other outfits of Yellowstone TV Series, with worldwide free delivery Order Now!

    john dutton hat

  • dave smith

    dave smith October 4th, 2022 @ 09:22 AM

    I appreciate what you have shared with us. Honestly speaking, I do not have much interest in Cosplay, but I have a friend who is crazy about Cosplay clothing. Therefore, I think I should share it with him, but first I need to find Elden Ring Bomber Black Jacket on an urgent basis. I promise I will share it with him soon.

  • Bape Hoodie

    Bape Hoodie October 22nd, 2022 @ 08:34 AM

    Thank you for your willingness to share information with us. It has been a pleasure working with you. we will always appreciate all you have done here because I know you are very concerned with quialty content.

    hoodies
    shirts
    sweater
    jacket
    pants
    shorts
    shark-hoodie
    pink-hoodie

  • Nakar Yara

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<p>Cutting edge cms, blog, wiki, forum ... plattform.</p>

<p>Find the code on <a href="http://github.com/svenfuchs/adva_cms/tree/master">GitHub: adva cms</a></p>

<p>Part of the business application framework <a href="http://www.advabest.org/">adva best</a>.</p>

Pages