Lockdown - init.rb - Stonean

init.rb

Added by Levi Cole 169 days ago

Quick question,

One thing I have noticed is that when I add permissions to be public, I have to login to an account, and log out for the changes to take place even after restarting the server. I am not sure, but I looked through the source code, and inspected my sessions, and i noticed that my access rights are stored in sessions. So would that be why? Because when I logout it clears my session? Also, would you consider this a security risk?

Levi

Replies

RE: init.rb - Added by Andrew Stone 169 days ago

Hey Levi,

Yeah, if you make changes to the rules you have to login/logout because the access rights are stored in the session. And, as you've noticed, restarting the server doesn't reset your session.

Are you asking if storing the access_rights in the session are a security risk? I don't think that's any more of a risk than storing the id in the session, which most everyone does.

If you (or anyone else reading this thread) has an alternative solution, I'd love to hear it. I'm always open to improving code.

thanks,
andy

RE: init.rb - Added by Bruno Carrere 159 days ago

hi,

Making requests like Goldberg does ?

Before using Lockdown for a project, I've made some tests and storing permissions in the session is not the better choice as Rails 2 limits the size of the cookie's session at 4kb.

This means that is possible to store about 50 partials permissions (only_methods(:xxxx, :index, :show)) or about the half for full permissions (all_methods) for a user (or a group) before reaching a coookie overflow.

That's a tricky limitation when using lockdown for a big project, no ?

Bruno

RE: init.rb - Added by Andrew Stone 159 days ago

Thanks for the Goldberg tip. I will definitely look into this project for tips.

I obviously don't recommend using cookie session store for the size limitation reason. I have updated the wiki with this recommendation.