Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The active model where method should act as a normal parameterized scope #116

Closed
catmando opened this issue Jan 28, 2019 · 3 comments
Closed

The active model where method should act as a normal parameterized scope #116

catmando opened this issue Jan 28, 2019 · 3 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@catmando
Copy link
Contributor

catmando commented Jan 28, 2019
edited
Loading

Currently returns nil if used on a AR class, and throws a non-related error if used on a scope.

THIS WAS THE ORIGINAL CONCLUSION BUT ITS INCORRECT SEE DISCUSSION:

The reasons we won't implement where is that it could be used to insecurely determine counts on data.
For example Customers.where(top_secret_attribute: true).count could be executed from the JS console to find the count of customers with the top_secret_attribute.

where should be implemented as a scope.

We will need to add scope called __hyperstack_internal_where_scope

class ActiveRecord::Base 
  scope __hyperstack_internal_where_scope, 
    ->(attrs) { where(attrs) }, # server side we just call where
    filter: ->(attrs) { !attrs.detect { |k, v| self[k] != v } # client side optimization
  def self.where(attrs) 
    __hyperstack_internal_where_scope(attrs)
  end if RUBY_ENGINE == 'opal'
end

On the client side we can add the class level where method to ActiveRecord::Base and which simpy calls the `__hyperstack_internal_where_scope.
@catmando catmando added this to the alpha1.4 milestone Jan 28, 2019
@catmando catmando removed this from the alpha1.4 milestone Jan 28, 2019
@catmando catmando added the enhancement New feature or request label Jan 28, 2019
@Tim-Blokdijk
Copy link
Contributor

where is working within scopes, I presume this is not a security issue?

Suggestion for an error message:
Hypermodel does not support where outside of a scope for "security reasons". See [link to explanation] for details.
Please use scopes, find, find_by and ActiveRecord relations to query your data.
If you think you can write a secure where implementation, feel free to impress us.

@catmando catmando added the good first issue Good for newcomers label Feb 14, 2019
@catmando catmando changed the title The active model where method should consistently throw an error. The active model where method should act as a normal parameterized scope Feb 14, 2019
@catmando
Copy link
Contributor Author

catmando commented Feb 16, 2019
edited
Loading

@Tim-Blokdijk yes you are right, and in fact, I am wrong in my overall conclusion. where can act like any other scope, and will simply follow the normal security rules. Thus if you do not open up the all scope then doing Customers.where(top_secret_attribute: true) will fail because no scope ever granted permission.

In practical terms you could do this:

class Customer < ApplicationRecord
  regulate_scope :all, ->() { acting_user.admin? }  # admins can get any data needed
end

now

Customer.where(top_secret_attribute: true).count

will only work if executed by an admin.

@catmando
Copy link
Contributor Author

catmando commented Apr 5, 2021

closed in 1.0.alpha1.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@catmando @Tim-Blokdijk