Shouldn''t everything in the application controller be protected by default? I just realized that my app can be called like this: www.myapp.com/application/method and it actually tries to run that method inside my application controller. Is everyone else just adding "protected" at the top? Thanks, Chad --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On Wed, 2006-11-01 at 20:06 -0800, Chad wrote:> > Shouldn''t everything in the application controller be protected by > default? > > I just realized that my app can be called like this: > www.myapp.com/application/method and it actually tries to run that > method inside my application controller. > > Is everyone else just adding "protected" at the top?---- I''m quite certain that this can be explained better by others but... this is a function of ruby and the ruby bible, Programming Ruby provides some insights as does AWDWR if I recall correctly. All methods in your controllers are public unless they are specifically made private or protected. I can''t speak to what others do. I leave most controller methods available to public but provide access control via authorize/authenticate methodology mostly cribbed from Chad Fowler''s Rails Recipes - in essence, assuming that a session belonging to a validated user with appropriate rights controlled via roles will ultimately govern access to the method(s) requested. Craig --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
I agree I handle things the same way, but the application controller public by default? That seems like a potential security risk for rails web applications since EVERYONE has an application controller out of the box. cheers On Nov 1, 8:36 pm, Craig White <craigwh...-BQ75lA0ptkhBDgjK7y7TUQ@public.gmane.org> wrote:> On Wed, 2006-11-01 at 20:06 -0800, Chad wrote: > > > Shouldn''t everything in the application controller be protected by > > default? > > > I just realized that my app can be called like this: > >www.myapp.com/application/methodand it actually tries to run that > > method inside my application controller. > > > Is everyone else just adding "protected" at the top?---- > I''m quite certain that this can be explained better by others but... > > this is a function of ruby and the ruby bible, Programming Ruby provides > some insights as does AWDWR if I recall correctly. > > All methods in your controllers are public unless they are specifically > made private or protected. > > I can''t speak to what others do. I leave most controller methods > available to public but provide access control via > authorize/authenticate methodology mostly cribbed from Chad Fowler''s > Rails Recipes - in essence, assuming that a session belonging to a > validated user with appropriate rights controlled via roles will > ultimately govern access to the method(s) requested. > > Craig--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 11/1/06, Chad <carimura-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Shouldn''t everything in the application controller be protected by > default? > > I just realized that my app can be called like this: > www.myapp.com/application/method and it actually tries to run that > method inside my application controller. > > Is everyone else just adding "protected" at the top?Yes! Public/protected/private method visibility is a natural way to distinguish actions from their supporting methods. No need to introduce a special case here to sully that consistency. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
fair enough. done. On Nov 1, 9:14 pm, "Jeremy Kemper" <jer...-w7CzD/W5Ocjk1uMJSBkQmQ@public.gmane.org> wrote:> On 11/1/06, Chad <carim...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > Shouldn''t everything in the application controller be protected by > > default? > > > I just realized that my app can be called like this: > >www.myapp.com/application/methodand it actually tries to run that > > method inside my application controller. > > > Is everyone else just adding "protected" at the top?Yes! Public/protected/private method visibility is a natural way to > distinguish actions from their supporting methods. No need to introduce a > special case here to sully that consistency. > > jeremy--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---