Hello all.
Is there a way to stop users from being able to access a controllers
methods without affecting the ability of other controllers to use them?
i.e
FooController
def secret
#Stuff
end
end
BarController
def index
redirect_to :controller => ''foo'', action =>
''secret'', :id => ''007''
end
end
But directly accessing the URL server.com/foo/secret/007
would return a "Not found" error?
It seems protected and private stop other controllers from accessing
methods. I just want to stop users. (Or more specifically "Outside"
requests not from a controller).
Is this possible in RoR?
Thanks
Jeff
--
Posted via http://www.ruby-forum.com/.
On 3/9/06, Jeff Jones <rurounijones@hotmail.com> wrote:> Is there a way to stop users from being able to access a controllers > methods without affecting the ability of other controllers to use them?You can use a before filter to control access to the controller''s action. The way to do this securely is to authenticate the user somehow and check the authentication in the before filter.> > i.e > > FooController > def secret > #Stuff > end > end > > BarController > > def index > redirect_to :controller => ''foo'', action => ''secret'', :id => ''007'' > end > end > > But directly accessing the URL server.com/foo/secret/007 > > would return a "Not found" error?The only way to do this without authenticating users is checking the HTTP_REFERER, but that is trivially forgible. If security matters, you should authenticate users and store the authentication information in the session, and check that in the before filter.
> The only way to do this without authenticating users is checking the > HTTP_REFERER, but that is trivially forgible. If security matters, > you should authenticate users and store the authentication information > in the session, and check that in the before filter.Bugger, I was afraid of that. When I says "Users" in this case I just mean people using the website. It has no actual user/security framework. Thanks -- Posted via http://www.ruby-forum.com/.
Jeff Jones wrote:> Is there a way to stop users from being able to access a controllers > methods without affecting the ability of other controllers to use them? > > i.e > > FooController > def secret > #Stuff > end > end > > BarController > > def index > redirect_to :controller => ''foo'', action => ''secret'', :id => ''007'' > end > end > > But directly accessing the URL server.com/foo/secret/007 > > would return a "Not found" error? > > It seems protected and private stop other controllers from accessing > methods. I just want to stop users. (Or more specifically "Outside" > requests not from a controller). > > Is this possible in RoR?What I do for this is: BarController def index flash[:from_bar] = true redirect_to :controller => ''foo'', action => ''secret'', :id => ''007'' end end FooController def secret unless flash[:from_bar] raise ::ActionController::UnknownAction, ''no direct access permitted'' end #Stuff end end -- We develop, watch us RoR, in numbers too big to ignore.
> > BarController > def index > flash[:from_bar] = true > redirect_to :controller => ''foo'', action => ''secret'', :id => ''007'' > end > end > > FooController > def secret > unless flash[:from_bar] > raise ::ActionController::UnknownAction, ''no direct access > permitted'' > end > #Stuff > end > end > > -- > We develop, watch us RoR, in numbers too big to ignore.Oooohhh devious. Thanks very much. This isn''t really as a security implementation. Just to stop possibly silly curious users from messing around. Jeff -- Posted via http://www.ruby-forum.com/.