David Mitchell
2006-Feb-08 05:30 UTC
[Rails] Protecting controllers - looking for a DRY solution
Hello everyone,
I''ve got several different user roles (i.e. admin, user, guest, ...)
and have set up a bunch of controllers for each user role.
I''m trying to set up some sort of validation that the user accessing
e.g. the admin/subjects controller has the ''admin'' role. The
brute
force way to do this would be something like:
- for each controller, put in
before_filter :validate_user
def validate_user
if session[:user].role != ''admin''
flash[:notice] = "You don''t have permission to access
this"
redirect_to :controller => session[:user].role, :action =>
''home''
end
end
However, I don''t want to put this code in almost verbatim into about
35 controllers if I can avoid it.
Is there some way I can put this logic in one spot and then call it
from all controllers? In particular, I need to be able to determine
the role the user should have is ''admin'' when he''s
accessing the e.g.
''admin/subjects'' or ''admin/content''
controllers - the required role
will ALWAYS be prefix of the controller.
Thanks in advance
Dave M.
Kevin Olbrich
2006-Feb-08 05:35 UTC
[Rails] Protecting controllers - looking for a DRY solution
On Wednesday, February 08, 2006, at 4:30 PM, David Mitchell wrote:>Hello everyone, > >I''ve got several different user roles (i.e. admin, user, guest, ...) >and have set up a bunch of controllers for each user role. > >I''m trying to set up some sort of validation that the user accessing >e.g. the admin/subjects controller has the ''admin'' role. The brute >force way to do this would be something like: >- for each controller, put inTake a look at the user_engine plugin. It does exactly what you are looking for. _Kevin -- Posted with http://DevLists.com. Sign up and save your time!
Kris Leech
2006-Feb-08 12:15 UTC
[Rails] Re: Protecting controllers - looking for a DRY solution
Here is an aprox/speudo way of doing it: You need to create a table called something like permissions with all the controller/action combo''s in your application in it and link it to the roles - ie. role has_many permissions. Load the permissions for the user in to the session at login Put a method called autherise in application controller that is called from a before_filter in the controllers you want to protect. In the autherise method use (I think) request.controller and request.action which contain the current controller and action to do a find on the permissions in the session. Kris. -- Posted via http://www.ruby-forum.com/.