From 2e4b3b138deaed741dd601d309e9df3bf8ec8fc1 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Thu, 31 Jan 2013 12:30:20 -0800 Subject: [PATCH] fix permissions to accommodate nodes#ping and user_sessions#create exemptions --- app/controllers/user_sessions_controller.rb | 11 +++++++---- app/models/node.rb | 11 +++++++++++ app/models/orvos_model.rb | 15 ++++++++++++++- app/models/user.rb | 5 +++++ 4 files changed, 37 insertions(+), 5 deletions(-) diff --git a/app/controllers/user_sessions_controller.rb b/app/controllers/user_sessions_controller.rb index 31f691d333..f941cb0653 100644 --- a/app/controllers/user_sessions_controller.rb +++ b/app/controllers/user_sessions_controller.rb @@ -25,10 +25,13 @@ class UserSessionsController < ApplicationController user = User.find_by_identity_url(omniauth['info']['identity_url']) if not user # New user registration - user = User.create!(:email => omniauth['info']['email'], - :first_name => omniauth['info']['first_name'], - :last_name => omniauth['info']['last_name'], - :identity_url => omniauth['info']['identity_url']) + user = User.new(:email => omniauth['info']['email'], + :first_name => omniauth['info']['first_name'], + :last_name => omniauth['info']['last_name'], + :identity_url => omniauth['info']['identity_url']) + Thread.current[:user] = user # prevents OrvosModel#before_create + # from throwing "unauthorized" + user.save! else user.email = omniauth['info']['email'] user.first_name = omniauth['info']['first_name'] diff --git a/app/models/node.rb b/app/models/node.rb index 2333d80544..c10e076ef0 100644 --- a/app/models/node.rb +++ b/app/models/node.rb @@ -61,6 +61,8 @@ class Node < OrvosModel end self.last_ping_at = Time.now + @bypass_orvos_authorization = true + # Record IP address if self.ip_address.nil? logger.info "#{self.uuid} ip_address= #{o[:ip]}" @@ -97,6 +99,7 @@ class Node < OrvosModel end def start!(ping_url_method) + ensure_permission_to_update ping_url = ping_url_method.call({ uuid: self.uuid, ping_secret: self.info[:ping_secret] }) cmd = ["ec2-run-instances", "--user-data '#{ping_url}'", @@ -162,4 +165,12 @@ class Node < OrvosModel end end end + + def permission_to_update + @bypass_orvos_authorization or super + end + + def permission_to_create + current_user and current_user.is_admin + end end diff --git a/app/models/orvos_model.rb b/app/models/orvos_model.rb index 411296c127..7ed6e4e5bf 100644 --- a/app/models/orvos_model.rb +++ b/app/models/orvos_model.rb @@ -7,7 +7,8 @@ class OrvosModel < ActiveRecord::Base attr_protected :modified_by_user attr_protected :modified_by_client attr_protected :modified_at - before_update :permission_to_update + before_create :ensure_permission_to_create + before_update :ensure_permission_to_update before_create :update_modified_by_fields before_update :update_modified_by_fields @@ -30,6 +31,18 @@ class OrvosModel < ActiveRecord::Base protected + def ensure_permission_to_create + raise "Permission denied" unless permission_to_create + end + + def permission_to_create + current_user + end + + def ensure_permission_to_update + raise "Permission denied" unless permission_to_update + end + def permission_to_update if !current_user logger.warn "Anonymous user tried to update #{self.class.to_s} #{self.uuid_was}" diff --git a/app/models/user.rb b/app/models/user.rb index 08663f61d5..de9ed57bc2 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -22,6 +22,11 @@ class User < OrvosModel protected + def permission_to_create + Thread.current[:user] == self or + (Thread.current[:user] and Thread.current[:user].is_admin) + end + def prevent_privilege_escalation if self.is_admin_changed? and !current_user.is_admin if current_user.uuid == self.uuid -- 2.30.2