thr3ads.net - Rails - before_destroy and sessions [Nov 2006]

If this information is useful, please help other people find it:
Share via:

Justin Skolnick

2006-Nov-17 02:50 UTC

before_destroy and sessions

(Semi-newbie.) I want to ensure a user''s able to destroy only his own 
objects. I''ve set session info at login:

  session[:user_id] = user.id

Now I try this in the model of my deletable objects:

  before_destroy :destroy_your_own

  def destroy_your_own
    raise "Can''t delete that!" unless session[:user_id] ==
self.user.id
  end

which snags EVERY attempted destroy. What am I doing wrong? Better 
ideas?

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

zero halo

2006-Nov-17 03:57 UTC

head link

Re: before_destroy and sessions

It''s hard to say without seeing the rest of the code, but have you
tested the value of self.user.id within the method? My guess is that
self.user.id is nil and thus the error is always raised.


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Dean

2006-Nov-17 05:26 UTC

head link

Re: before_destroy and sessions

Justin Skolnick wrote:> (Semi-newbie.) I want to ensure a user''s able to destroy only his
own
> objects. I''ve set session info at login:
>
>   session[:user_id] = user.id
Is the session cookie secure?  How easy is it to forge a sessionn with
someone else''s user.id?

--Dean


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Tom Fakes

2006-Nov-18 07:32 UTC

head link

Re: before_destroy and sessions

Models don''t have access to the session, so session[:user_id] is nil.

Sessions are a controller thing.  One way I''ve seen this work is this:

1. Add a ''current_user'' class property to your User model
2. Create a before_filter that sets this to the session[:user] on every
request (not just at login)
3. In your model code, use ''User.current_user'' instead of
session[:user]


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

ljredpath-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org

2006-Nov-18 13:36 UTC

head link

Re: before_destroy and sessions

I wouldn''t even take the callback/filter route. I''d simply
define my
own method, destroy_as:

<code>
class SomeModel < ActiveRecord::Base
  def destroy_as(user)
    return false unless self.user == user
    destroy
  end
end

# now the controller - presumably you
# have access to the user object, not just
# the id - i usually instantiate a user from
# an id in the session using a before_filter

def destroy
  @obj = SomeModel.find(params[:id]
  if @obj.destroy_as(@current_user)
    flash[:notice] = ''It worked!''
  else
    flash[:error] = ''It didnt work!''
  end
end

Hope that helps. You could alternatively just pass in the user ID to
destroy_as and do the comparison that way but I think this is more
intention revealing.


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Possibly Parallel Threads

Search for more seemingly similar threads

Rails - Nov 2006 - before_destroy and sessions

before_destroy and sessions

Re: before_destroy and sessions

Re: before_destroy and sessions

Re: before_destroy and sessions

Re: before_destroy and sessions

Possibly Parallel Threads