Skip to content

Solution to secure admin-only resources #835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
svileshina merged 2 commits into from
Jan 26, 2021
Merged

Solution to secure admin-only resources #835

svileshina merged 2 commits into from
Jan 26, 2021

Conversation

@solebared
Copy link
Collaborator

@solebared solebared commented Jan 21, 2021
edited
Loading

Why

Before we open up user registration, we have to secure any pages that should only be accessible to admins (sysadmins). This actually turns out to be the vast majority of our controllers, so ideally we can solve this w/o a lot of drudge work.

Pre-Merge Checklist

  • All new features have been described in the pull request
  • Security & accessibility have been considered
  • High quality tests have been added, or an explanation has been given why the features cannot be tested
  • New features have been documented, and the code is understandable and well commented
  • All outstanding questions and concerns have been resolved
  • Any next steps that seem like good ideas have been created as issues for future discussion & implementation

What

  • Add code to AdminController that ensures current_user is an admin || sysadmin
  • Show sample implementation with one admin-only controller (ContactMethodsController)

How

  • With pundit, we would usually authorize each action independently and create policy classes for each resource.
  • For admin-only resources, this seems like overkill: these controllers and actions all require exactly the same check.
  • Inheriting this logic from a base controller in the form of a before_action seems like a simpler solution.
  • Currently, AdminController contains a bunch of non-restful actions. I recommend we extract them out into their own controllers so AdminController can become an abstract base class.

Testing

Added a spec specifically around the simple auth introduced in AdminController. It uses ContactMethodsController as a sample admin-only resource.

Next Steps

Outstanding Questions, Concerns and Other Notes

?

@maebeale
Copy link
Collaborator

maebeale commented Jan 22, 2021

I think someday we should have two levels of admin, but agree this should be the path until then

@maebeale
Copy link
Collaborator

maebeale commented Jan 22, 2021

Support removing NON-RESTful actions!

@solebared solebared force-pushed the secure-admin-resources branch from 9dec763 to 434e8c8 Compare January 22, 2021 17:37
@solebared solebared mentioned this pull request Jan 22, 2021
Merged
18 tasks
@solebared
Add plain auth to AdminController
df743c2 
Sets up AdminController to become a base class for admin-only
controllers that don't need the sophistication of pundit.

Note that we need to disable pundit because it would otherwise try to
verify that authorize... was called.

See subsequent commit for usage and specs.
@solebared
Add spec for AdminController auth, convert sample controller
36d7647
@solebared solebared force-pushed the secure-admin-resources branch from 434e8c8 to 36d7647 Compare January 23, 2021 05:04
@solebared solebared changed the title Securing admin-only pages Securing admin-only resources Jan 23, 2021
@solebared solebared marked this pull request as ready for review January 23, 2021 05:10
@solebared
Copy link
Collaborator Author

solebared commented Jan 23, 2021

Ready for review. H/T @h-m-m for his help simplifying the auth implementation 🍠 .

@solebared solebared changed the title Securing admin-only resources Solution to secure admin-only resources Jan 23, 2021
solebared added a commit that referenced this pull request Jan 23, 2021
@solebared
Add simple auth to all admin-only controllers
6cbf215 
Inheriting from AdminController gives us rudimentary authorization based
on user role (must be admin or sysadmin). See #835.

Also changes one occurrence of the deprecated `update_attributes` ->
`update`.
@solebared solebared mentioned this pull request Jan 23, 2021
Merged
5 tasks
solebared added a commit that referenced this pull request Jan 25, 2021
@solebared
Add simple auth to all admin-only controllers
fc07237 
Inheriting from AdminController gives us rudimentary authorization based
on user role (must be admin or sysadmin). See #835.

Also changes one occurrence of the deprecated `update_attributes` ->
`update`.
@solebared solebared mentioned this pull request Jan 26, 2021
Merged
30 tasks
h-m-m
h-m-m approved these changes Jan 26, 2021
View reviewed changes
Copy link
Collaborator

@h-m-m h-m-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty happy about where we landed with this

@svileshina svileshina merged commit 836bd02 into main Jan 26, 2021
@svileshina svileshina deleted the secure-admin-resources branch January 26, 2021 15:25
solebared added a commit that referenced this pull request Jan 26, 2021
@solebared
Add simple auth to all admin-only controllers
050a237 
Inheriting from AdminController gives us rudimentary authorization based
on user role (must be admin or sysadmin). See #835.

Also changes one occurrence of the deprecated `update_attributes` ->
`update`.
@maebeale maebeale mentioned this pull request Mar 3, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h-m-m h-m-m h-m-m approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@solebared @maebeale @h-m-m @svileshina