[jifty-devel] load_by_cols and access control

Jesse Vincent jesse at bestpractical.com
Tue Feb 27 11:08:09 EST 2007

On Tue, Feb 27, 2007 at 10:47:17AM -0500, Henry Baragar wrote:
> On Tuesday, February 27 2007 09:53 am, Jesse Vincent wrote:
> > On Tue, Feb 27, 2007 at 09:51:19AM -0500, Henry Baragar wrote:
> > > Hello,
> > >
> > > Is it the intention that load_by_cols (and id) bypass access control?
> > >
> > > It surprised me, with my current_user_can definition, that I can load a
> > > record (using load_by_cols) but not read any of the columns (other than
> > > id).  Is there a laod_by_cols wrapper method, similar to _value(),
> > > missing from Jifty::Record?
> >
> > Often times, the access control decisions depend on the content of the
> > record (and there are other ways to load records). 
> >
> OK, but load_by_cols could discard the data after examing it to determine that 
> access should be denied.
> > What attack are you concerned about?
> >
> Auditors.  I like that Jifty has fine grain access control at the model level 
> and so do the auditors.  I had assumed that the only methods that bypass 
> access control are the ones prefixed with "_" and that the only other way to 
> bypass access control was through the use of superuser.    Now, I will 
> probably have to review all the Jifty::Record methods that we use and inform 
> the auditors as to which ones use access control and which ones don't.

At the same time, are you up for helping to update the documentation so
that nobody else gets bitten by the same issue?

Note also that Jifty::Collection objects load the records and uses the same
methods for accessor access control.

> Otherwise, because of my mistaken assumptions and the code we have developed 
> based on those assumptions, our application behaves unpredictably in corner 
> situations.  At worst, this could open a avenue for attack: at best, it could 
> affect my reputation because my application appears to be flaky. 

I'd certainly like to work to help resolve this issue for you, though
I'm not sure that the current behaviour could be changed without losing
the "standard" way to do things.


More information about the jifty-devel mailing list