-
Notifications
You must be signed in to change notification settings - Fork 27
Hardening_Conductor_models
movitto edited this page Jan 16, 2013
·
4 revisions
Back to Hardening_the_app
- permission model is correctly applied to all model level objects (see below)
- fields requiring encryption are stored securely in the db
- all restricted fields are hidden in logs
Mass assignments are frequently used in our project, but this is a bad practice http://guides.rubyonrails.org/security.html#mass-assignment.
All attributes will be marked as having to be explicitly set by default, with specific exceptions to this whitelisted
A patch adding preliminary support has been sent to the list and is awaiting review / further revisions:
[1] https://lists.fedorahosted.org/pipermail/aeolus-devel/2012-July/011770.html
See the Original Page on the redmine wiki
- app/views/layouts/_tabpanel.html.haml
- delete resource / route for :builds as corresponding controller does not exist
- delete resource / route for :templates as corresponding controller does not exist
- consider moving our stateful views (lib/viewstate.rb) and our permissions / metadata subsystem out into their own gems
- remove matching_profiles exception in hardware profiles controller require_user filter (no such method)
- iwhd analysis was dropped as that component is being removed