I have an authentication and autherization system built on the same
lines outlined by Michael Hartl, rails tutorial.
Here is the employees_controller.rb:
class EmployeesController < ApplicationController
before_filter :signed_in_employee, only:
[:index, :edit, :update]
before_filter :correct_employee, only:
[:edit, :update]
etc
etc
private
def signed_in_employee
unless signed_in?
store_location
redirect_to signin_path, notice:
"Please sign in to access this page."
end
end
def correct_employee
@employee = Employee.find(params[:id])
redirect_to(root_path) unless current_employee?
(@employee)
end
def admin_employee
redirect_to(root_path) unless
current_employee.admin?
end
end
The pages start out at root. If you try and change the url to say
''employees'' you will get the message
"Please sign in to access this page."
If you change the url to any other page, ie, to contracts, you totally
circumvent the authentication and authorization.
Is there a way to use the authentication and authorization of
''employee'' to prevent a user from changing the url to
circumvent the
sign-in, and also to govern the access to any other page without using
a gem?
Thanks,
fuzzy.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
On Mon, Dec 3, 2012 at 8:42 AM, fuzzy <hlogoma-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> If you change the url to any other page, ie, to contracts, you totally > circumvent the authentication and authorization. > > Is there a way to use the authentication and authorization of > ''employee'' to prevent a user from changing the url to circumvent the > sign-in, and also to govern the access to any other page without using > a gem?Store the userid in the session and then create a method on ApplicationController that checks the user, and run a before filter on all actions you need to secure, if the userid doesn''t exist in the session then redirect them to the login page and redirect them back after authentication. Normally these methods would be "user" so you can do "user" and get the user information automatically and "authenticate_user!" which would do the checking for "user" and redirect_to if there is a problem... This is just a base idea you need to fill in the blanks on security between these actions. Authentication systems are hard, and this is no joke. They are hard because it requires a lot of work to get right, and they are harder when you mix in ACL''s and MAL''s which requires a need for even more work, I would recommend instead of doing it from scratch at first use Devise or Omniauth, both proven to be secure, both able to handle custom auth and both will ease the pain until you understand the full stack of Rails. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Thanks Jordon ... I take your point ... I begin with some sites discussing both these issues, authentication, and authorization. fuzzy. On Dec 3, 8:51 am, Jordon Bedwell <envyge...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Mon, Dec 3, 2012 at 8:42 AM, fuzzy <hlog...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > If you change the url to any other page, ie, to contracts, you totally > > circumvent the authentication and authorization. > > > Is there a way to use the authentication and authorization of > > ''employee'' to prevent a user from changing the url to circumvent the > > sign-in, and also to govern the access to any other page without using > > a gem? > > Store the userid in the session and then create a method on > ApplicationController that checks the user, and run a before filter on > all actions you need to secure, if the userid doesn''t exist in the > session then redirect them to the login page and redirect them back > after authentication. Normally these methods would be "user" so you > can do "user" and get the user information automatically and > "authenticate_user!" which would do the checking for "user" and > redirect_to if there is a problem... This is just a base idea you > need to fill in the blanks on security between these actions. > > Authentication systems are hard, and this is no joke. They are hard > because it requires a lot of work to get right, and they are harder > when you mix in ACL''s and MAL''s which requires a need for even more > work, I would recommend instead of doing it from scratch at first use > Devise or Omniauth, both proven to be secure, both able to handle > custom auth and both will ease the pain until you understand the full > stack of Rails.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Reasonably Related Threads
- How to get contact list from yahoo in rails using OAuth
- Setting a global before_filter action in application.rb
- create object after before_filter :authenticate_user!
- Windows, Rails 3.1.3, Omniauth-BrowserID, SSL Erro
- “Routing Error No route matches {}” when omniauth failed on registration