Rails - Oct 2006 - How to hide non permited actions?

Im showing in the view a menu with just the options to certain user, ie:

<% if user = "admin" %>
<a href"/action/addcontent">Add content</a>
<% end %>

and that works but if the user goes and directly writes in the address 
bar myappurl/action/adcontent/TheContent that is valid and the rails app 
processes it.

How i can avoid this? i mean, remome access to certain actions of the 
rails app completely.

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Hi Ana,

Ana wrote:
> if the user goes and directly writes in the address
> bar myappurl/action/adcontent/TheContent that is
> valid and the rails app processes it.
>
> How i can avoid this? i mean, remome access to
> certain actions of the rails app completely.
Put a line

protected

in your controller.

Then put any controller methods that you don''t want to be available via
user
entered URL''s beneath that line.  Anything below the
''protected'' line can
only be invoked from other methods in your app.

hth,
Bill 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Check out before_filter. This allows you to call a method (or Proc) to
determine whether the code should continue running.

class MyController
  before_filter :authenticate

  def authenticate
     # is ok? return true else return false
  end
end

Also, check out the LoginEngine (http://api.rails-engines.org/login_engine/),
a very comprehensive user authentication tool for Rails. Even if it''s
too
much for your app, it still has a lot of good ideas in it on how to do just
this.

Jason

On 10/25/06, Ana
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
>
>
> Im showing in the view a menu with just the options to certain user, ie:
>
> <% if user = "admin" %>
> <a href"/action/addcontent">Add content</a>
> <% end %>
>
> and that works but if the user goes and directly writes in the address
> bar myappurl/action/adcontent/TheContent that is valid and the rails app
> processes it.
>
> How i can avoid this? i mean, remome access to certain actions of the
> rails app completely.
>
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

*class HomeController < ApplicationController*
**
*   before_filter :verify_admin_user*


def verify_admin_user
  user = session[:user_id}
  user = User.find(user) if user
  unless user && user.is_admin?
     redirect_to :controller => ''home'', :action =>
''index''
  end
end

You need to define your is_admin method in your User model class.

How i can avoid this? i mean, remome access to certain actions of
the
> rails app completely.
>
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

> Im showing in the view a menu with just the options to certain user, ie:
>
> <% if user = "admin" %>
> <a href"/action/addcontent">Add content</a>
> <% end %>
Hope you meant "==" cause the above will always be true as
it''s assigning
"admin" to the user variable... so everyone is going to see that link.
>
> and that works but if the user goes and directly writes in the address
> bar myappurl/action/adcontent/TheContent that is valid and the rails app
> processes it.
>
> How i can avoid this? i mean, remome access to certain actions of the
> rails app completely.
>
> -- 
> Posted via http://www.ruby-forum.com/.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---