search

edgi-govdata-archiving / web-monitoring-db

An HTTP API for tracking and annotating changes to a set of web pages.
https://api.monitoring.envirodatagov.org/
GNU General Public License v3.0
17 stars 26 forks source link

Block public access to some expensive parameters #1084

Closed Mr0grog closed 1 year ago

Mr0grog commented 1 year ago

Some parameters for the various /versions collections cause expensive queries, so they are disallowed for public, non-logged-in usage.

Solves part of #1070.

Mr0grog commented 1 year ago

Thinking about this some more, it might still make sense to allow include_change_from_* for #show. We could do this by changing block_params_for_public_users to take a first argument indicating which methods:

# First argument indicates which methods:
block_params_for_public_users :all, [:bad, :params]
block_params_for_public_users [:index, :sampled], [:other, :bad, :params]

# Or as a hash:
block_params_for_public_users {
  all => [:bad, :params],
  [:index, :sampled] => [:other, :bad, :params]
}

# Or just provide a method to use with `before_action`:
before_action do
  block_params_for_public_users [:bad, :params]
end
before_action(only: [:index, :sampled]) do
  block_params_for_public_users [:other, :bad, :params]
end
Mr0grog commented 1 year ago

This now covers all controllers, and therefore fixes #1070.

I also wound up going with a slightly different, more explicit style:

block_params_for_public_users actions: :all,
                              params: [:source_metadata, :status]
block_params_for_public_users actions: [:index, :sampled],
                              params: [
                                :include_change_from_previous,
                                :include_change_from_earliest
                              ]