thr3ads.net - Rails - REST, limit method access. [Aug 2007]

If this information is useful, please help other people find it:
Share via:

Toby Clemson

2007-Aug-06 09:47 UTC

REST, limit method access.

Hi,

I''m building a REST based app whereby a number of servers will submit
data to the database using activerecord and the web frontend will
merely view the data and provide reports.

What is the easiest way to restrict create, update and delete to the
remote servers using active record i.e., so that the web frontend
can''t perform any changes to the database for certain controllers?

Thanks,
Toby


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Daniel N

2007-Aug-06 10:24 UTC

head link

Re: REST, limit method access.

On 8/6/07, Toby Clemson
<tobyclemson-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:>
>
> Hi,
>
> I''m building a REST based app whereby a number of servers will
submit
> data to the database using activerecord and the web frontend will
> merely view the data and provide reports.
>
> What is the easiest way to restrict create, update and delete to the
> remote servers using active record i.e., so that the web frontend
> can''t perform any changes to the database for certain controllers?
>
> Thanks,
> Toby

On edge you should just be able to raise an appropriate error.

ActionController::MethodNotAllowed
ActionController::NotImplemented
ActionController::UnknownAction

Are all actions handled by edge.  If your not on edge you can handle these
errors by overwriting
rescue_action_in_public(exception)

If you search this list or google there is plenty of information on that
method.

HTH
Daniel

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Toby Clemson

2007-Aug-06 10:43 UTC

head link

Re: REST, limit method access.

Oh ok thanks.

What does edge do when one of those errors is raised? Do I explicitly
need to rescue them or are they automatically handled?


On Aug 6, 11:24 am, "Daniel N"
<has....-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:> On 8/6/07, Toby Clemson
<tobyclem...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>
>
> > Hi,
>
> > I''m building a REST based app whereby a number of servers
will submit
> > data to the database using activerecord and the web frontend will
> > merely view the data and provide reports.
>
> > What is the easiest way to restrict create, update and delete to the
> > remote servers using active record i.e., so that the web frontend
> > can''t perform any changes to the database for certain
controllers?
>
> > Thanks,
> > Toby
>
> On edge you should just be able to raise an appropriate error.
>
> ActionController::MethodNotAllowed
> ActionController::NotImplemented
> ActionController::UnknownAction
>
> Are all actions handled by edge.  If your not on edge you can handle these
> errors by overwriting
> rescue_action_in_public(exception)
>
> If you search this list or google there is plenty of information on that
> method.
>
> HTH
> Daniel

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Daniel N

2007-Aug-06 10:47 UTC

head link

Re: REST, limit method access.

On 8/6/07, Toby Clemson
<tobyclemson-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:>
>
> Oh ok thanks.
>
> What does edge do when one of those errors is raised? Do I explicitly
> need to rescue them or are they automatically handled?
>
>
> On Aug 6, 11:24 am, "Daniel N"
<has....-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > On 8/6/07, Toby Clemson
<tobyclem...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> >
> >
> > > Hi,
> >
> > > I''m building a REST based app whereby a number of
servers will submit
> > > data to the database using activerecord and the web frontend will
> > > merely view the data and provide reports.
> >
> > > What is the easiest way to restrict create, update and delete to
the
> > > remote servers using active record i.e., so that the web frontend
> > > can''t perform any changes to the database for certain
controllers?
> >
> > > Thanks,
> > > Toby
> >
> > On edge you should just be able to raise an appropriate error.
> >
> > ActionController::MethodNotAllowed
> > ActionController::NotImplemented
> > ActionController::UnknownAction
> >
> > Are all actions handled by edge.  If your not on edge you can handle
> these
> > errors by overwriting
> > rescue_action_in_public(exception)
> >
> > If you search this list or google there is plenty of information on
that
> > method.
> >
> > HTH
> > Daniel


It''s handled automatically on edge I believe.  It''s a pretty
new feature.

I saw a blog post on how to use it properly but I can''t seem to put my
hands
on it at the moment.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Toby Clemson

2007-Aug-06 10:56 UTC

head link

Re: REST, limit method access.

Ok I''ll have a search. I''m using edge but only the latest
stable
revision so I hope it is supported there.

How do I differentiate between a call from the web frontend and a call
from activeresource? Are there tell tale signs of an activeresource
call apart from the fact it asks for xml?

On Aug 6, 11:47 am, "Daniel N"
<has....-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:> On 8/6/07, Toby Clemson
<tobyclem...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>
>
>
>
> > Oh ok thanks.
>
> > What does edge do when one of those errors is raised? Do I explicitly
> > need to rescue them or are they automatically handled?
>
> > On Aug 6, 11:24 am, "Daniel N"
<has....-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > On 8/6/07, Toby Clemson
<tobyclem...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > > > Hi,
>
> > > > I''m building a REST based app whereby a number of
servers will submit
> > > > data to the database using activerecord and the web frontend
will
> > > > merely view the data and provide reports.
>
> > > > What is the easiest way to restrict create, update and
delete to the
> > > > remote servers using active record i.e., so that the web
frontend
> > > > can''t perform any changes to the database for
certain controllers?
>
> > > > Thanks,
> > > > Toby
>
> > > On edge you should just be able to raise an appropriate error.
>
> > > ActionController::MethodNotAllowed
> > > ActionController::NotImplemented
> > > ActionController::UnknownAction
>
> > > Are all actions handled by edge.  If your not on edge you can
handle
> > these
> > > errors by overwriting
> > > rescue_action_in_public(exception)
>
> > > If you search this list or google there is plenty of information
on that
> > > method.
>
> > > HTH
> > > Daniel
>
> It''s handled automatically on edge I believe.  It''s a
pretty new feature.
>
> I saw a blog post on how to use it properly but I can''t seem to
put my hands
> on it at the moment.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Daniel N

2007-Aug-06 11:02 UTC

head link

Re: REST, limit method access.

On 8/6/07, Toby Clemson
<tobyclemson-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:>
>
> Ok I''ll have a search. I''m using edge but only the latest
stable
> revision so I hope it is supported there.
>
> How do I differentiate between a call from the web frontend and a call
> from activeresource? Are there tell tale signs of an activeresource
> call apart from the fact it asks for xml?

I''m guessing there''s not, but I am guessing.  If you can
change your data
via xml, then  I think you would need to allow it by xml in all cases. Just
check that valid user data is supplied.  If a user want''s to hack up
the
browser version so it submits via an xml action then they are going to.
That''s if they use the browser at all if they wanted to be malicious.

Best bet is to code it such that xml is allowed and leave it at that.  I
wouldn''t burn up braincells trying to worry about ALL the what-ifs a
user
can do to be bad.  Just work out what you want to allow with your
authorization permission and leave it at that.

HTH
Daniel

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Rick Olson

2007-Aug-06 13:43 UTC

head link

Re: REST, limit method access.

On 8/6/07, Toby Clemson
<tobyclemson-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:>
> Ok I''ll have a search. I''m using edge but only the latest
stable
> revision so I hope it is supported there.
>
> How do I differentiate between a call from the web frontend and a call
> from activeresource? Are there tell tale signs of an activeresource
> call apart from the fact it asks for xml?
Nope, not really.  Just check request.format.xml? if you want.


-- 
Rick Olson
http://lighthouseapp.com
http://weblog.techno-weenie.net
http://mephistoblog.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Rails - Aug 2007 - REST, limit method access.

REST, limit method access.

Re: REST, limit method access.

Re: REST, limit method access.

Re: REST, limit method access.

Re: REST, limit method access.

Re: REST, limit method access.

Re: REST, limit method access.