Im showing in the view a menu with just the options to certain user, ie: <% if user = "admin" %> <a href"/action/addcontent">Add content</a> <% end %> and that works but if the user goes and directly writes in the address bar myappurl/action/adcontent/TheContent that is valid and the rails app processes it. How i can avoid this? i mean, remome access to certain actions of the rails app completely. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Hi Ana, Ana wrote:> if the user goes and directly writes in the address > bar myappurl/action/adcontent/TheContent that is > valid and the rails app processes it. > > How i can avoid this? i mean, remome access to > certain actions of the rails app completely.Put a line protected in your controller. Then put any controller methods that you don''t want to be available via user entered URL''s beneath that line. Anything below the ''protected'' line can only be invoked from other methods in your app. hth, Bill --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Check out before_filter. This allows you to call a method (or Proc) to determine whether the code should continue running. class MyController before_filter :authenticate def authenticate # is ok? return true else return false end end Also, check out the LoginEngine (http://api.rails-engines.org/login_engine/), a very comprehensive user authentication tool for Rails. Even if it''s too much for your app, it still has a lot of good ideas in it on how to do just this. Jason On 10/25/06, Ana <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > Im showing in the view a menu with just the options to certain user, ie: > > <% if user = "admin" %> > <a href"/action/addcontent">Add content</a> > <% end %> > > and that works but if the user goes and directly writes in the address > bar myappurl/action/adcontent/TheContent that is valid and the rails app > processes it. > > How i can avoid this? i mean, remome access to certain actions of the > rails app completely. > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
*class HomeController < ApplicationController* ** * before_filter :verify_admin_user* def verify_admin_user user = session[:user_id} user = User.find(user) if user unless user && user.is_admin? redirect_to :controller => ''home'', :action => ''index'' end end You need to define your is_admin method in your User model class. How i can avoid this? i mean, remome access to certain actions of the> rails app completely. > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
> Im showing in the view a menu with just the options to certain user, ie: > > <% if user = "admin" %> > <a href"/action/addcontent">Add content</a> > <% end %>Hope you meant "==" cause the above will always be true as it''s assigning "admin" to the user variable... so everyone is going to see that link.> > and that works but if the user goes and directly writes in the address > bar myappurl/action/adcontent/TheContent that is valid and the rails app > processes it. > > How i can avoid this? i mean, remome access to certain actions of the > rails app completely. > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---