How could I make it so that links on my page could link to a controllers action, but if the user manually entered the url, it would redirect them back to the main page? Is this possible? Thank you, -Ben Lisbakken -- Posted via http://www.ruby-forum.com/.
Couldn''t you just check HTTP_REFERER? If it''s defined, you could do some regex on it to make sure that they made it there from a link inside your application. Unless I''m mistaken, a manually entered URL doesn''t have a referrer. Sorry I can''t be more specific with code... I''m at my day job ;) Matt On 7/25/06, Ben Lisbakken <lisbakke@gmail.com> wrote:> > How could I make it so that links on my page could link to a controllers > action, but if the user manually entered the url, it would redirect them > back to the main page? Is this possible? > > Thank you, > -Ben Lisbakken > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060725/27b899b9/attachment.html
On 7/25/06, Ben Lisbakken <lisbakke@gmail.com> wrote:> How could I make it so that links on my page could link to a controllers > action, but if the user manually entered the url, it would redirect them > back to the main page? Is this possible?How about using a session? I didn''t try it, but maybe this would work: module ActionView module Helpers module UrlHelper def link_to(name, options = {}, html_options = nil, parameters_for_method_reference) super session[:to_url] = options end end end end Then in your controller you could do a before_filter or something with a method to check that the URL matches the to_url and wipe it out of the session. Or you could just check the HTTP Referrer, but that can be spoofed. Michael Schreifels
On 7/25/06, Matt White <stockliasteroid@gmail.com> wrote:> Couldn''t you just check HTTP_REFERER? If it''s defined, you could do some > regex on it to make sure that they made it there from a link inside your > application. Unless I''m mistaken, a manually entered URL doesn''t have a > referrer.The problem, as I mentioned, is that HTTP_REFERER is given to the server through the request header (usually by a browser). Because of this, it isn''t very difficult to insert a fake referrer. An example of how to do this from http://ow.bbclone.de/2005/11/20/know-your-enemy-how-to-simulate-fake-connections/ : [olliver@bunkiten ~]$ wget -q -U "Mozilla/5.0 (Java 1.5.0_05; Windows XP 5.1 x86; en) ICEbrowser/v6_0_2" --header="X-Forwarded-For: 192.168.0.1" -i="/home/me/server-list.txt" --referer="http://www.example.org/adipexanax/buy-adipexanax-now.html" -O /dev/null As far as the server concerned, that user came from http://www.example.org/adipexanax/buy-adipexanax-now.html which is obviously not the case. If you do still want to use HTTP_REFERER, you can just access request.env["HTTP_REFERER"]
> > How could I make it so that links on my page could link to a controllers > > action, but if the user manually entered the url, it would redirect them > > back to the main page? Is this possible? > > >I was just curious as to why you would need to this? Security reasons? What if someone bookmarked that page? -- Andrew Stone -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060726/6e5d0e5f/attachment.html
I would like to know because in my app, I have a main view. it''s called Headline. Headline view is always displayed, and there''s a div in it called Content. Whenever the user clicks on the nav menu to change to different sections, it just calls another controllers action and throws it into the Content div. I wanted to be able to show a little loading spinner while the user navigates around the site, no matter what they do. Thus, I have the loading spinner in the nav menu of the Headline controller, and I do ajax updates of Content to load the various pages. The reason why i don''t want them to manually enter in URL''s is because then they would load the page without the Headline Nav menu stuff. So there''s no real security reason, just aesthetics. Also, since I''m still a newbie to Rails, I''d like to know if what I''m doing is a bad idea for some reason or another. Thanks, Ben Lisbakken On Jul 25, 2006, at 6:49 PM, Andrew Stone wrote:> How could I make it so that links on my page could link to a > controllers > action, but if the user manually entered the url, it would redirect > them > back to the main page? Is this possible? > > I was just curious as to why you would need to this? Security > reasons? What if someone bookmarked that page? > > -- > Andrew Stone > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails
Well this does seem a bit tricky. I wonder if you can use hide_action to hide the controllers/actions but still make them callable via your links? I would guess so if you are using link_to_remote, but that is a guess. -- Andrew Stone -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060726/6d7eaf29/attachment.html
On Jul 25, 2006, at 8:26 PM, Ben Lisbakken wrote:> I would like to know because in my app, I have a main view. it''s > called Headline. Headline view is always displayed, and there''s a > div in it called Content. Whenever the user clicks on the nav menu > to change to different sections, it just calls another controllers > action and throws it into the Content div. I wanted to be able to > show a little loading spinner while the user navigates around the > site, no matter what they do. Thus, I have the loading spinner in > the nav menu of the Headline controller, and I do ajax updates of > Content to load the various pages. > > The reason why i don''t want them to manually enter in URL''s is > because then they would load the page without the Headline Nav menu > stuff. So there''s no real security reason, just aesthetics. > > Also, since I''m still a newbie to Rails, I''d like to know if what > I''m doing is a bad idea for some reason or another. > > Thanks, > Ben LisbakkenBen manually entered url''s will make a get request. Your ajax actions will use an xmlhttprequest. You can check for these and redirect to the proper place if the request is not an ajax request. Its not fool proof as you can craft a request to look like an ajax requests. But is it important enough to do any more then this? def ajax_action return redirect_to :controller => ''go_away'' unless request.xhr? # if it makes it here its an ajax request and not one a user typed into their browser. end -Ezra
cool, thanks On Jul 25, 2006, at 11:48 PM, Ezra Zygmuntowicz wrote:> > On Jul 25, 2006, at 8:26 PM, Ben Lisbakken wrote: > >> I would like to know because in my app, I have a main view. it''s >> called Headline. Headline view is always displayed, and there''s >> a div in it called Content. Whenever the user clicks on the nav >> menu to change to different sections, it just calls another >> controllers action and throws it into the Content div. I wanted >> to be able to show a little loading spinner while the user >> navigates around the site, no matter what they do. Thus, I have >> the loading spinner in the nav menu of the Headline controller, >> and I do ajax updates of Content to load the various pages. >> >> The reason why i don''t want them to manually enter in URL''s is >> because then they would load the page without the Headline Nav >> menu stuff. So there''s no real security reason, just aesthetics. >> >> Also, since I''m still a newbie to Rails, I''d like to know if what >> I''m doing is a bad idea for some reason or another. >> >> Thanks, >> Ben Lisbakken > > Ben manually entered url''s will make a get request. Your ajax > actions will use an xmlhttprequest. You can check for these and > redirect to the proper place if the request is not an ajax request. > Its not fool proof as you can craft a request to look like an ajax > requests. But is it important enough to do any more then this? > > > def ajax_action > return redirect_to :controller => ''go_away'' unless request.xhr? > # if it makes it here its an ajax request and not one a user > typed into their browser. > end > > -Ezra > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails
I would like to know because in my app, I have a main view. it''s called Headline. Headline view is always displayed, and there''s a div in it called Content. Whenever the user clicks on the nav menu to change to different sections, it just calls another controllers action and throws it into the Content div. I wanted to be able to show a little loading spinner while the user navigates around the site, no matter what they do. Thus, I have the loading spinner in the nav menu of the Headline controller, and I do ajax updates of Content to load the various pages. The reason why i don''t want them to manually enter in URL''s is because then they would load the page without the Headline Nav menu stuff. So there''s no real security reason, just aesthetics. Also, since I''m still a newbie to Rails, I''d like to know if what I''m doing is a bad idea for some reason or another. Thanks, Ben Lisbakken On Jul 25, 2006, at 6:49 PM, Andrew Stone wrote:> How could I make it so that links on my page could link to a > controllers > action, but if the user manually entered the url, it would redirect > them > back to the main page? Is this possible? > > I was just curious as to why you would need to this? Security > reasons? What if someone bookmarked that page? > > -- > Andrew Stone > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails
Add a parameter to the link that is a SHA1/MD5/combo crypto hash of a random value stored in their session. On Jul 25, 2006, at 2:14 PM, Ben Lisbakken wrote:> How could I make it so that links on my page could link to a > controllers > action, but if the user manually entered the url, it would redirect > them > back to the main page? Is this possible? > > Thank you, > -Ben Lisbakken > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails
thanks guys for your responses. Erza, great idea with return redirect_to :controller => ''go_away'' unless request.xhr?. That''s what I''m usin'' ;) -Ben On Jul 26, 2006, at 2:59 PM, Tom Mornini wrote:> Add a parameter to the link that is a SHA1/MD5/combo > crypto hash of a random value stored in their session. > > On Jul 25, 2006, at 2:14 PM, Ben Lisbakken wrote: > >> How could I make it so that links on my page could link to a >> controllers >> action, but if the user manually entered the url, it would >> redirect them >> back to the main page? Is this possible? >> >> Thank you, >> -Ben Lisbakken >> >> -- >> Posted via http://www.ruby-forum.com/. >> _______________________________________________ >> Rails mailing list >> Rails@lists.rubyonrails.org >> http://lists.rubyonrails.org/mailman/listinfo/rails > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails