Secure edit page

Question

Secure edit page

chriswhong opened this issue 11 years ago · comments

Chris Whong commented 11 years ago

Need a password on the edit page.

Ameen Soleimani · Answer 1 · Fri Jan 17 2014 07:55:29 GMT+0800 (China Standard Time)

So here's the quickest, dirtiest, most naive approach I could come up with -

Add this code to your public/js/controllers/projects:

    $scope.authSuccess = false;
    $scope.password = '';
    $scope.submitPassword = function (password) {
      if (password == "PASSWORD") {
        $scope.authSuccess = true;
      } else {
        $scope.password = '';
      }
    }

And re-write to your public/views/html to look like this:

<div ng-controller="ProjectsController" ng-init="find()">
  <div ng-hide="authSuccess">
    <input ng-model="password">
    <button ng-click="submitPassword(password)">Submit</button>
  </div>

  <div ng-show="authSuccess">
    <div ng-repeat="project in projects">
      <a href="" ng-click="destroy(project)" >Delete</a> {{project.html_url}}
    </div>
    <form>
    <textarea ng-model="newUrl" style = "width: 500px; height: 20px; resize:none;">Add New</textarea>
    <button ng:click="create()">Save</button>
    </form>

    <button ng-click="update()">Update all and go to Projects list</button>
  </div>
</div>

If authentication succeeds, the password input and button should go away, and the the projects list will be displayed. The downside is that you would be storing the password on the client ("PASSWORD"), so anyone who digs into your code a bit could figure it out.

I'm still trying to figure out how to send the controller a variable from the server, because then you could easily hide your password in a config.json file that you .gitignore, and load it using the nconf module.

Chris Whong · Answer 2 · Fri Jan 17 2014 08:02:15 GMT+0800 (China Standard Time)

I am sure we can post this to the backend and check the password there with a teeny bit more effort. Thanks! I figured ng-show and ng-hide would be the way to go. I'll try to get this working soon.

Ameen Soleimani · Answer 3 · Fri Jan 17 2014 08:10:29 GMT+0800 (China Standard Time)

Don't worry, I intend on updating this with a better solution soon. Just wanted to post this in case you needed something immediately.

Chris Whong · Answer 4 · Fri Jan 17 2014 08:16:45 GMT+0800 (China Standard Time)

Thanks... I don't think we've been hacked yet. Earlier today I was able to secure the mongodb connection strings by using Heroku Environment variables... they're pretty sweet, you just set them in the terminal and they persist.

Ameen Soleimani · Answer 5 · Fri Jan 17 2014 08:57:05 GMT+0800 (China Standard Time)

Nice, that's a good way to go about it.

Akil Harris · Answer 6 · Tue Jan 21 2014 11:45:01 GMT+0800 (China Standard Time)

What about using mongo's built in user support? That way you should be able to use the databases built in roles to restrict read / write access.

Ameen Soleimani · Answer 7 · Tue Jan 21 2014 18:01:04 GMT+0800 (China Standard Time)

This website doesn't really need user accounts, only one password to access the admin sections. I have a possible solution that is ready to be implemented on my fork, but I didn't want the updates to be eclipsed by other diffs. I submitted a pull request earlier regarding putting the node_modules on the .gitignore, and until that is settled its hard to tell what I changed. Or maybe I'm just not using git correctly here...

Akil Harris · Answer 8 · Tue Jan 21 2014 22:12:58 GMT+0800 (China Standard Time)

@ameensol Hi, yeah it's not so much about supporting user accounts (I think mean.io comes with passport setup for that), but providing a little bit more of access control by using a non-superuser db account to do the updates. You'll definitely still need the functionality from your pull request but the mongohq_uri can use a user an account with different permissions as well.