Hi all,
I use the following monkey-patch on facebooker- it secures a session
with fb_sig_profile_user for profile tabs.
I can spec it out and add it to my fork:
http://github.com/mixonic/facebooker/tree/master
If secure_with_facebook_params feels like the right place for it.
Thoughts? Thanks!
-------------------------
module Facebooker
module Rails
module Controller
# Over write secure to handle profile_user and profile_session_key params
#
def secure_with_facebook_params!
return unless request_comes_from_facebook?
if [''user'', ''session_key''].all?
{|element| facebook_params[element]}
@facebook_session = new_facebook_session
@facebook_session.secure_with!(facebook_params[''session_key''],
facebook_params[''user''],
facebook_params[''expires''])
elsif [''profile_user'',
''profile_session_key''].all? {|element|
facebook_params[element]}
@facebook_session = new_facebook_session
@facebook_session.secure_with!(facebook_params[''profile_session_key''],
facebook_params[''profile_user''],
facebook_params[''expires''])
end
session[:facebook_session] = @facebook_session
end
end
end
end
-----------------
--
Matthew Beale :: 607 227 0871
Resume & Portfolio @ http://madhatted.com
The profile_user is the person whose tab is being viewed, right? Not the viewer? If so, it seems wrong to secure a session with that user. Mike On Jan 30, 2009, at 10:58 AM, Matthew Beale wrote:> Hi all, > > I use the following monkey-patch on facebooker- it secures a session > with fb_sig_profile_user for profile tabs. > > I can spec it out and add it to my fork: > > http://github.com/mixonic/facebooker/tree/master > > If secure_with_facebook_params feels like the right place for it. > Thoughts? Thanks! > > ------------------------- > module Facebooker > module Rails > module Controller > > # Over write secure to handle profile_user and > profile_session_key params > # > def secure_with_facebook_params! > return unless request_comes_from_facebook? > > if [''user'', ''session_key''].all? {|element| > facebook_params[element]} > @facebook_session = new_facebook_session > @facebook_session.secure_with! > (facebook_params[''session_key''], facebook_params[''user''], > facebook_params[''expires'']) > elsif [''profile_user'', ''profile_session_key''].all? {|element| > facebook_params[element]} > @facebook_session = new_facebook_session > @facebook_session.secure_with! > (facebook_params[''profile_session_key''], > facebook_params[''profile_user''], facebook_params[''expires'']) > end > session[:facebook_session] = @facebook_session > end > end > end > end > ----------------- > > -- > Matthew Beale :: 607 227 0871 > Resume & Portfolio @ http://madhatted.com > > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk-- Mike Mangino http://www.elevatedrails.com
On Fri, 2009-01-30 at 13:54 -0500, Mike Mangino wrote:> The profile_user is the person whose tab is being viewed, right? Not > the viewer? If so, it seems wrong to secure a session with that user. >Nah, you need a session for someone :-). It''s better than no session at all, and you have a chance to show some data about the hosting user. It''s just a change of perspective to keep in mind while you write templates. I''ve also gotten feedback from a large number of users who use the tab for themselves anyway, it''s weird but I try to keep a focus on both possible audiences. -- Matthew Beale :: 607 227 0871 Resume & Portfolio @ http://madhatted.com> Mike > > On Jan 30, 2009, at 10:58 AM, Matthew Beale wrote: > > > Hi all, > > > > I use the following monkey-patch on facebooker- it secures a session > > with fb_sig_profile_user for profile tabs. > > > > I can spec it out and add it to my fork: > > > > http://github.com/mixonic/facebooker/tree/master > > > > If secure_with_facebook_params feels like the right place for it. > > Thoughts? Thanks! > > > > ------------------------- > > module Facebooker > > module Rails > > module Controller > > > > # Over write secure to handle profile_user and > > profile_session_key params > > # > > def secure_with_facebook_params! > > return unless request_comes_from_facebook? > > > > if [''user'', ''session_key''].all? {|element| > > facebook_params[element]} > > @facebook_session = new_facebook_session > > @facebook_session.secure_with! > > (facebook_params[''session_key''], facebook_params[''user''], > > facebook_params[''expires'']) > > elsif [''profile_user'', ''profile_session_key''].all? {|element| > > facebook_params[element]} > > @facebook_session = new_facebook_session > > @facebook_session.secure_with! > > (facebook_params[''profile_session_key''], > > facebook_params[''profile_user''], facebook_params[''expires'']) > > end > > session[:facebook_session] = @facebook_session > > end > > end > > end > > end > > ----------------- > > > > -- > > Matthew Beale :: 607 227 0871 > > Resume & Portfolio @ http://madhatted.com > > > > _______________________________________________ > > Facebooker-talk mailing list > > Facebooker-talk at rubyforge.org > > http://rubyforge.org/mailman/listinfo/facebooker-talk > > -- > Mike Mangino > http://www.elevatedrails.com > > >
I would rather use tab_session or some other session name to make sure it is clear that it is a different user. That way, you don''t pull the user information and accidently give the viewing user the privileges of the user they are viewing. You could create a tab_session helper and build it only on tab pages. Mike On Jan 30, 2009, at 3:49 PM, Matthew Beale wrote:> On Fri, 2009-01-30 at 13:54 -0500, Mike Mangino wrote: >> The profile_user is the person whose tab is being viewed, right? Not >> the viewer? If so, it seems wrong to secure a session with that user. >> > > Nah, you need a session for someone :-). It''s better than no > session at > all, and you have a chance to show some data about the hosting user. > It''s just a change of perspective to keep in mind while you write > templates. > > I''ve also gotten feedback from a large number of users who use the tab > for themselves anyway, it''s weird but I try to keep a focus on both > possible audiences. > > -- > Matthew Beale :: 607 227 0871 > Resume & Portfolio @ http://madhatted.com > >> Mike >> >> On Jan 30, 2009, at 10:58 AM, Matthew Beale wrote: >> >>> Hi all, >>> >>> I use the following monkey-patch on facebooker- it secures a session >>> with fb_sig_profile_user for profile tabs. >>> >>> I can spec it out and add it to my fork: >>> >>> http://github.com/mixonic/facebooker/tree/master >>> >>> If secure_with_facebook_params feels like the right place for it. >>> Thoughts? Thanks! >>> >>> ------------------------- >>> module Facebooker >>> module Rails >>> module Controller >>> >>> # Over write secure to handle profile_user and >>> profile_session_key params >>> # >>> def secure_with_facebook_params! >>> return unless request_comes_from_facebook? >>> >>> if [''user'', ''session_key''].all? {|element| >>> facebook_params[element]} >>> @facebook_session = new_facebook_session >>> @facebook_session.secure_with! >>> (facebook_params[''session_key''], facebook_params[''user''], >>> facebook_params[''expires'']) >>> elsif [''profile_user'', ''profile_session_key''].all? {|element| >>> facebook_params[element]} >>> @facebook_session = new_facebook_session >>> @facebook_session.secure_with! >>> (facebook_params[''profile_session_key''], >>> facebook_params[''profile_user''], facebook_params[''expires'']) >>> end >>> session[:facebook_session] = @facebook_session >>> end >>> end >>> end >>> end >>> ----------------- >>> >>> -- >>> Matthew Beale :: 607 227 0871 >>> Resume & Portfolio @ http://madhatted.com >>> >>> _______________________________________________ >>> Facebooker-talk mailing list >>> Facebooker-talk at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/facebooker-talk >> >> -- >> Mike Mangino >> http://www.elevatedrails.com >> >> >> > >-- Mike Mangino http://www.elevatedrails.com