create_permitted? never called
Reported by umur.ozkul (at gmail) | December 2nd, 2010 @ 03:42 PM
This pieace of functional test is failing on Hobo 1.0.1 . Create is permitted when acting_user is adminstrator and a guest can post create!
should "not post create" do
count1 = MyModel.count
puts "POSTING"
post :create, :my_model => {:name=>'Test'}
count2 = MyModel.count
assert_equal count1, count2, organization"Nothing created"
assert_response :forbidden
end
New instance of my model is created so count1 is not equal to count2. And page is redirected so response is not :forbidden. What is weird about this. Because "Guest" is using the system. There has been no login.
class Organization < ActiveRecord::Base
hobo_model # Don't put anything above this
def create_permitted?
acting_user.administrator?
end
...
Functional test should pass because the guest is not create_permitted.
I FOUND OUT THAT create_permitted IS NEVER CALLED DURING FUNCTIONAL TESTS.
Because while posting action :create, "acting_user" is always nil. NIL.
This leads to no security check because in hobo permissions.rb there won't be any security check if acting user is nil:
def permission_check_required?
# Lifecycle steps are exempt from permission checks
acting_user && !(self.class.has_lifecycle? && lifecycle.active_step)
end
def create_with_hobo_permission_check(*args, &b)
if permission_check_required?
create_permitted? or raise PermissionDeniedError, "#{self.class.name}#create"
end
create_without_hobo_permission_check(*args, &b)
end
permission_check_required? is always false during :create action.
IS THIS A SECURITY WHOLE. OR IS IT ONLY FAILING DURING FUNCTIONAL TESTS? But then again it makes it impossible to provide functional tests for the acceptance of applications.
Comments and changes to this ticket
-
umur.ozkul (at gmail) December 2nd, 2010 @ 03:49 PM
Sorry class Organization < ActiveRecord::Base above should be class MyModel < ActiveRecord::Base
-
Bryan Larsen December 2nd, 2010 @ 05:04 PM
- State changed from “new” to “invalid”
functional tests do not run the full stack. Integration tests will properly run the entire stack, so they won't have the acting_user==nil problem, although they are a lot slower.
Here's some notes on how to set the acting_user / current_user in model & controller tests: http://www.mail-archive.com/hobousers@googlegroups.com/msg01407.html. Quoting:
To test the controller, you'll have to login the user first using:
post :login, :login => 'championship_manager', :password => 'test' -
umur.ozkul (at gmail) December 2nd, 2010 @ 05:51 PM
Thanks for your pointers... There are no problems when I test a user logging in like you tell above.
However, the problem is happening when want to use "Guest", when we don't login intentionally so that the test succeeds.
post :login, :login => 'championship_manager', :password => 'test'is OK.
But when we want to stay logged out?
Then acting_user == nil instead of Guest.
-
umur.ozkul (at gmail) December 2nd, 2010 @ 09:42 PM
The problem is repeating on webrat and capybara tests also using selenium.
I found out that while newly created model is saved acting_user is nil thus create permission is always skipped on all environments.
I found a fix
I made a change in the file lib/hobo/model_controller.rb
def hobo_create(*args, &b) options = args.extract_options! attributes = options[:attributes] || attribute_parameters || {} if self.this ||= args.first this.user_update_attributes(current_user, attributes) else self.this = new_for_create(attributes) # this.save #Original Line this.with_acting_user(current_user) {this.save} #SUGGESTED FIX end create_response(:new, options, &b) endUsing "this.with_acting_user(current_user) {this.save}" instead of "this.save" fixes the problem.
Why people are not encountering this problem? Because using the application in the web interface hides the problem. If you are a guest and only admin is allowed to create then you don't see the admin button and you cannot post. However somebody can execute a curl command and fill up your whole database.
I am using Hobo 1.0.1 . I did not verify this condition with newer versions of Hobo.
-
rommarkk November 8th, 2022 @ 02:45 AM
The article in this forum is very good, this article is very helpful for me. Nice to read your post. If you can, take a moment to play game 1v1 lol one of the most exciting games
-
llucklinn June 30th, 2023 @ 10:30 AM
I found the author's writing style to be engaging and easy to follow magic tiles 3. The article was a pleasure to read from start to finish.
-
yimplement July 20th, 2023 @ 10:22 AM
If you are a visitor and can only make posts as an drift hunters administrator, you won't see the admin button. However, it just takes one curl command for a malicious user to corrupt your whole database.
-
lee merrrty November 2nd, 2023 @ 08:29 AM
Players who are accustomed to playing first-person shooter games will be impressed with shell shockers . owing to the fact that its games need undivided focus, pinpoint accuracy, and significant quantities of adrenaline. In addition to this, they have a high degree of unpredictability, so that no two games are ever the same.
-
Sara Madam November 24th, 2023 @ 04:59 AM
I am very impressed with the information you shared. I have learned many interesting things Suika game from your post and I will definitely follow your next posts.
-
johnmartin February 18th, 2024 @ 08:54 PM
Dofu Sports Apk - Live Stream live events with you. characteristics, . Convenient features of static locations and real-time data; Combine it all in one simple app. Get ready to jump into the world of football! "
-
johnmartin February 18th, 2024 @ 08:58 PM
Spotify Premium Mod Apk 2024: Looking for a Spotify Mod Apk that gives you Spotify Premium for free? If yes then you have reached the right place because in this post we are going to share the latest version of Spotify Premium Apk.
-
johnmartin February 18th, 2024 @ 09:02 PM
Inat Box APK is the integration of all the TV apps we share on this platform Get Inat Tv on Android latest version and enjoy the best content for free. Your favorite star, . Watch movies and TV shows and get the latest news. Here are some things I want to share with you about this TV app.
-
johnmartin February 19th, 2024 @ 11:58 AM
Beetv Apk on Firestick is an app that lets you watch movies and TV shows. This app features a solid library of videos in various genres. You can explore and watch newly released as well as content from the past. The Bee TV app is fully compatible with FireStick and its other versions. You can easily navigate the app with your FireStick remote.
-
parasthackral February 27th, 2024 @ 10:41 AM
delta executor official is the Roblox game expert for those players who are wish to partake in their unwinding time which grants to a substitute degree of attributes and decisions
-
malansanni77 April 5th, 2024 @ 02:23 AM
In the quaint town of Raven Brooks, a sinister secret lurks inside the mysterious Hello Neighbor house. Embark on a thrilling adventure as you try to uncover the mysteries hidden behind its seemingly ordinary facade.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
People watching this ticket
Bryan Larsen
Domizio Demichelis
mantukarla
Referenced by
-
880
Hobo Security Hole
This problem was referred in the previously invalid ticke...