friendly_uuid icon indicating copy to clipboard operation
friendly_uuid copied to clipboard

Published 20 hours ago verified publisher icon glacials

Allow for scoping via method instead of overriding find

Open itsyoshio opened this issue 1 year ago • 1 comments

It would be great, if i had the choice to manually set (or scope) the friendly_uuid find operation instead of overriding the default find method.

friendly_id did this aswell with Removed class-level finders in favor of friendly scope (Norman Clarke). here is the Code Snippet

Example 
@client = Client.expand_uuid.find(params[:id])

instead of

@client = Client.find(params[:id]) # with friendly_uuid patched in

This would allow for friendly_uuid to be compatible to e.g. pundit policy_scopes which bring their own find, which is unaffected by include FriendlyUUID.

# pundit policy_scope allows for policies to define which [user, role, whatever] might see certain records or not
@client = policy_scope(Client).find(params[:id])

can't find record 6c9d3230-5cd0-4633-88f3-b608404aaf16 at /clients/6 while something like

@client = policy_scope(Client).expand_uuid.find(params[:id])

would be able to.

itsyoshio avatar Mar 16 '23 00:03 itsyoshio

I achieved something working with this :

Although it's NOT compatible with using friendly_id at the same time sadly.

# application_controller.rb

[...]

private
    def expand_uuid(uuid)
      controller_name.classify.constantize.expand(uuid)
      # will call Client.expand(uuid) if the Controller is Client
    end

and then in your controller

def set_client
      @client = policy_scope(Client).find(expand_uuid(params[:id]))
      [...]
end

Not entirely confident on the secrecy of this approach.

Assuming we have two Records in the System

  • 6c9d3230-5cd0-4633-88f3-b608404aaf16 -> /clients/6
  • 4cd042b5-8eb0-4630-9dd7-fe2c841739be -> /clients/4

Since the uuid gets (and has to) be expanded before searching in the policy_scope a user could try to gain access to different records by guessing (e.g. /clients/4) which would then be expanded. But since the full UUID is never exposed to the User it would only help in knowing there is at least one UUID starting with 4 in the Database, which a User does not have access to.

This could be alleviated by sending 404 for unpermitted records i guess.

itsyoshio avatar Mar 16 '23 00:03 itsyoshio