User authentication on redmine plugin

Added by Miguel Akira about 13 years ago

Hello.

I'm somewhat new to rails and to redmine. I made a simple plugin for redmine, where it generates reports based on the user's ticket issues. Only the admin should be able to generate reports for every user, and regular users should be able to generate reports only for their own issues.

Since this plugin is just a test, right now I'm doing this on my index view:

[code]
<% if @user.id == 1 > 
<= collection_select (:user, :id, u d, :id, :lastname) > 
< else >
<label> You are the user: </label> <= @user.name.capitalize > 
< end %>
[/code]

Of course, it has no security at all. How should I do this in a secure way?

Thanks!

Replies (3)

RE: User authentication on redmine plugin - Added by Felix Schäfer about 13 years ago

User.current returns the currently logged in user, User.current.admin? (or @any_user.admin? for that matter…) will tell you if the user is an admin.

RE: User authentication on redmine plugin - Added by Miguel Akira about 13 years ago

Thanks for the answer!

But is this solution safe? Or at least, safe enough, considering the Redmine is being used only internally?

Thanks!

RE: User authentication on redmine plugin - Added by Felix Schäfer about 13 years ago

Miguel Akira wrote:

But is this solution safe? Or at least, safe enough, considering the Redmine is being used only internally?

I'm not sure what you mean. User.current always is the current user in the current request, either the user object if the user is logged in, or AnonymousUser if the user isn't logged in. All user objects also have the admin? method that returns whether the user is marked as admin in Redmine or not. That's also how Redmine identifies users internally.

If those methods don't work as expected, they are bugs and possibly security risks, yes, but then you wouldn't have to worry about only your plugin but the whole Redmine.

(1-3/3)

Project

General

Profile

Redmine