Administrate: valid_action? doesn't remove the url access
I want to bar access to a CRUD operation with the help of :
class PetsController < Admin::ApplicationController
def valid_action?(name, resource = resource_class)
%w[new destroy].exclude?(name.to_s) && super
end
The New action button isn't displayed on the dashboard, yet we can access through admin/pets/new to the creation page, and, this is the issue, effectively create a new resource.
The example app code is here, and the heroku hosted example there
- What versions are you running?
- ruby '2.6.5'
- Rails 6.0.1
- administrate 0.12.0
rmarronnier
All 4 comments
@rmarronnier I ran into this too, seems like a major security hole to me. fwiw you can update routes.rb with something along the lines of:
resources :dogs, only: [:index, :show, :edit, :update]
and the controller with something like:
class DogsController < Admin::ApplicationController
# override and disable
def new
raise 'not for you'
end
end
to remove them either at the routing layer or controller layer (or be defensive and do both!).
kevinrobinson
on 5 Dec 2019
Thanks for the tip !
I'll implement a workaround for the time being.
rmarronnier
on 6 Dec 2019
@rmarronnier - Thank you for raising this. I think the problem is that valid_action? should not be used for authorization purposes. This is intended as a bit of magic to know if, for example, the new action is available and it makes sense to show buttons/links to it.
Instead, I recommend that you create authorization policies as described at https://administrate-prototype.herokuapp.com/authorization.
Does that make sense?
pablobm
on 13 Dec 2019
I'm going to close this as it's been open for a while with no activity and there's a good solution here in using policies.
nickcharlton
on 5 Oct 2020
Related issues
migu0
路
3Comments
preist
路
4Comments
trandoanhung1991
路
3Comments
brynmrk
路
3Comments
sedubois
路
4Comments
Most helpful comment
Thanks for the tip !
I'll implement a workaround for the time being.