Rob Park
2005-Mar-05 08:46 UTC
problems with authentication -- restrict certain actions to certain users
Ok, so at this point I''ve got my app completely written, including the login generator, and I''ve even got stuff like the layout done up all nicely so that the login page matches the rest of the site nicely. All is good. But there''s one problem: I''m not running a wiki here, I''m running a personal site. As it is, any schmuck can log in, and anybody who''s logged in can create pages, edit pages, and even delete them. This is far from optimal -- it''s nice that non-logged-in users are redirected to the login screen if they try to edit a page, but it''s not so nice that anybody can log in and then it sends them right back to the page they were trying to access. Of course, the crude solution is simply to disable the signup action so that only people who''ve already signed up (eg, just me) can log in. That''s something that I''ll probably end up doing as an extra layer of security anyway, but it''s not the ideal solution. What I''d like to is to further restrict certain actions so that you not only have to register an account and log in, you also have to be logged in as user id "1" (eg, just me). Ideally users with other id #''s would be displayed a pretty (using my existing layout) error message if they attempt to access certain actions. Thanks. -- One Guy With A Camera http://rbpark.ath.cx
Rob Park
2005-Mar-06 00:18 UTC
Re: problems with authentication -- restrict certain actions to certain users
On Sat, 5 Mar 2005 01:46:39 -0700, Rob Park <rbpark-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> What I''d like to is to further restrict certain actions so that you > not only have to register an account and log in, you also have to be > logged in as user id "1" (eg, just me). Ideally users with other id > #''s would be displayed a pretty (using my existing layout) error > message if they attempt to access certain actions.Ok, I''ve played around with it a bit, and these are the two changes that I made to login_system.rb in order to achieve the effect that I wanted: First, I changed the authorize? method to this: def authorize?(user) user.id == 1 end (jeez, that was a lot easier than I was expecting it to be. Rails is amazing ;) And then I changed the second ''if'' statement in login_required to this: if @session[''user''] if authorize?(@session[''user'']) return true else flash[''notice''] = "You do not have permission to access that page. " end end The reason for the second change is that users who were logged in but were failing the authorize? method were being redirected to a login screen, which doesn''t make a whole lot of sense to me (the user is already logged in, they simply lack permission... why send them to the login page?). So I added the flash[''notice''] To indicate on the login screen that permission was denied. Something like this should probably be the default behavior, eg, redirect non-logged-in people to the login screen, but redirect logged-in people who lack permission to some kind of error page. -- One Guy With A Camera http://rbpark.ath.cx