Reputation: 13425
Security for Rails-based javascript apps: How do you verify permissions on a user within rendered javascript?
Apologize if this is the wrong stack for this question. If so, please direct me to the correct site.
I have a rails app, where-in users can be a member of one of three roles: user, admin, or system. My rails app basically serves as a JSON backend for a backbone app, however. All the client-side heavy lifting is done via coffeescript files, which are handled in the asset pipeline.
Right now, I'm piping some user attributes into the javascript, via an object I create in at the application.html.slim level. Something that looks like this:
APP.currentUser =
name: "#{@current_user.name}"
role: "#{@current_user.role}"
Sprinkled throughout a few places in my backbone apps are calls like this:
if APP.currentUser.role is 'admin'...
This seems very insecure, since anyone with the knowledge could open up a dev console, modify the instance of App.currentUser to be admin, and then access the admin functionality of the front end. Now, the rails side is smart enough to check and make sure that @current_user can execute those functions before it attempts to do so, but it still seems like there should be a way to prevent that on the front end, without publishing the role into the javascript.
Am I being overly cautious, or missing something?
Upvotes: 1
Views: 189
Answers (2)
Reputation: 1499
Well, I don't think you can do better than this. I used to do something like this in cases where I need to introduce action permissions on my views. Something like this:
At the Rails back-end:
def as_json(options={})
super(:include => {
:attributes_to_include
}
).merge({
:permissions=> {
:can_create => (user.can_create?),
:can_delete => (user.can_delete?),
:can_update => (user.can_update?)
}
})
end
At the Backbone front-end
if(@user.permissions.can_create)
# Display create view
if(@user.permissions.can_update)
# Display update view
.....
Generally that's the best you can do. You can not hide the view from the user in the front-end unless the entire page is loaded from the Rails back-end with view permissions taken care of. And of course contradicts with how Ajax-based views are handled nowadays.
Also, you need to make sure you authorize actions on the Rails back-end.
Upvotes: 5
Reputation: 29419
I don't know if you're missing anything, but I don't think there is any way to have your cake (the admin and non-admin UI residing in a single backbone app) and eat it too (make the admin UI securely inaccessible to non-admins). You basically have to choose between only downloading the admin UI to confirmed admins and living with this "opening".
Upvotes: 0
Related Questions
- Rails Protect From Forgery with Javascript
- Transferring sensitive information from javascript to rails
- j render With Coffeescript in Rails and Understanding How to Sanitize Javascript
- Techniques around administrative/super user code being exposed
- Security in backbone.js?
- Rails + Backbone.js - Hide secured data in page source
- Backbone.js and role based authorization/potential for client side hacks
- protect_from_forgery & Unobtrusive Javascript
- How to pass rails model attributes to javascript safely?
- javascript security rails