search

ruby-hyperloop / hyper-mesh

The project has moved to Hyperstack!! - Synchronization of active record models across multiple clients using Pusher, ActionCable, or Polling
https://hyperstack.org/
MIT License
22 stars 12 forks source link

protecting server_methods #66

Closed catmando closed 6 years ago

catmando commented 6 years ago

right now server_methods are not protected

So for example you could have

      class TypeTest < ActiveRecord::Base
        server_method :secret_data, default: "hello" do 
          secret_attribute
        end
      end

and there will be nothing to prevent anybody from calling type_test.secret_attribute

easy solution is to temporarily set acting_user (like view_permitted? does) and then let the server_method do something with it.

      class TypeTest < ActiveRecord::Base
        server_method :secret_data, default: "hello" do 
          raise Hyperloop::AccessViolation unless acting_user.admin?
          secret_attribute
        end
      end
catmando commented 6 years ago

closed on edge branch