Lockdown

I'll take a look into this. It should not matter whether you use _path or _url so there must be a bug somewhere.

Thanks for the notice and the kind remarks,
andy

I'm experiencing similar strange behavior with users seeing links they shouldn't have access to.
I think the inherit problem lies with the following lines of code within controller.rb 184 hsh = ActionController::Routing::Routes.recognize_path(url)
185 unless hsh.nil?
186 return true if path_allowed?(path_from_hash(hsh))
187 end
188 rescue Exception => e
189 # continue on
190 end

begin

in particular with line 184.

the controller authorizes the request with the function
def check_request_authorization
26 unless authorized?(path_from_hash(params))
27 raise SecurityError, "Authorization failed for params #{params.inspect}"
28 end
29 end

in the view, lockdown must reconstruct the params from the url. Unfortunately,
184 hsh = ActionController::Routing::Routes.recognize_path(url)
doesn't rebuild the hash the same way rails builds the params hash.

I think the culprit lies with test_path... particularly with the destroy action.

Kevin

actually... I think the culprit lies with url_for
I think it's the achilles heel of lockdown. The urls returned don't match some of my routes.
Unfortunately, url_for is part of action_pack.

I will do my best to get to this today. If you find anything else out, let me know.

thanks,
andy

I hope I'm not sending you out on a wild goose chase, but here are some things that I'm currently having trouble with
1) using mislav_will-paginate gem and specifying the :page parameter in the routes. Example below: hlink.connect 'hyperlinks/:action/:id', :action => 'remove', :action => /add|remove|reject/, :conditions => { :method => :post }

whereas when I switch the action and id parameters, it works like a charm

hlink.connect 'hyperlinks/:id/:action', :action => 'remove', :action => /add|remove|reject/, :conditions => { :method => :post } actionpack-2.1.0/lib/action_controller/routing/recognition_optimisation.rb

something funny is going on with

which is what I think url_for is using.

Again I hope this helps and thanks again for this awesome gem.

Kevin

My apologies for my cryptic posts... I didn't realize this thing was in textile. I wish I could reedit my post or hopefully you can just view the source of the messages.

Yeah, I can view the source. I'll probably update it with the pre wrappers if you don't mind. I don't edit posts without permission. :)

yes. please do. thanks

I think I may have come across a fix. It's probably not the best way to do things, but it's a way for
1) links that are changed by test_path to be recognized by ActionController::Routing::Routes.recognize_path
2) :page params in the path to be recognized for mislav_will-paginate gem

@
162 def authorized?(url*, environment = {}*)

adding the environment hash allows for link_to (in view.rb) to pass the method and ensure the routing gets recognized
@

@
183 begin
184 url_before_test_path = url.sub(/\/show$/, '').sub(/\/destroy$/, '')
185 hsh = ActionController::Routing::Routes.recognize_path(url_before_test_path, environment)
186 unless hsh.nil?
187 return true if path_allowed?(path_from_hash(hsh))
188 end
189 rescue Exception => e
190 # continue on
191 end

remove /show and /destroy reverses changes made by test_path - one problem with this fix is that if a legit path ends with either /show or /destroy, then their url won't be recognizeed by ActionController::Routing::Routes.recognize_path
@

Bug in my code. I didn't account for the fact that they can pass the html_method

Release 0.5.20 addresses the path vs url issue you were seeing.

thanks,
andy