Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is this bypassing authentication? #42

Open
apopescu opened this issue Dec 13, 2018 · 1 comment
Open

is this bypassing authentication? #42

apopescu opened this issue Dec 13, 2018 · 1 comment

Comments

@apopescu
Copy link

Hi everyone,

I installed this fantastic gem and used it successfully. But i noticed something that a would like to understand better.
The helper method render_report makes an Ajax call to ReportsKit::ReportsController#index. However this does not check if the user that made the request is logged in.
Infact i can make the request to
/reports_kit/reports.json?report_params[key]=my_key_here&properties={"format":"table","ui_filters":{}}
with or without authentication. With context_params we can send also an arbitrary user ID but again, if we provide the right ID we would see that user's data without actually logging in.

How can we check if user is logged in when this Ajax call happens? thanks.
@apopescu
Copy link
Author

I came out with this solution:
I create an initializer file reports.rb and put inside it

ReportsKit::BaseController.class_eval do
  # this is a module where i have all methods that checks for authentication
  include AuthenticatedSystem

  # now i can use my login_required method
  before_action :login_required
end

Let me know if there could be a better solution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@apopescu