Lets say I have a session based login system: username = session[:username] (jochen) userid = session[:userid] (1) Now I want to book a room: http://127.0.0.1:3000/guests/1/bookings/new (works) But when I type http://127.0.0.1:3000/guests/5/bookings/new I can book a room for a different user. Whats the prefered way to deny success to urls including a userid so that I can only access these url which include my userid? Thanx -- Jochen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
your user model defines: has_many :bookings so after finding the current user like: def current_user @current_user ||= User.find(session[:userid]) end in application.rb you can use current_user.bookings.create(...) that way nobody can access data of somebody else. same goes for index/show actions etc. current_user.bookings.each do |booking| ... end by the way: no need, to store the username in session, id is enough -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Why would you store the current user''s ID in the URL anyway? That''s a major security risk. It can be better handled by storing the user ID in a session[:user] or session[:user_id] variable. Check out how acts_as_authenticated and restful_authenticated does it. On Dec 20, 2007 9:13 PM, Thorsten Mueller <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > your user model defines: > > has_many :bookings > > so after finding the current user like: > > def current_user > @current_user ||= User.find(session[:userid]) > end > > in application.rb you can use > > current_user.bookings.create(...) > > that way nobody can access data of somebody else. > same goes for index/show actions etc. > > current_user.bookings.each do |booking| > ... > end > > by the way: no need, to store the username in session, id is enough > > -- > Posted via http://www.ruby-forum.com/. > > > >-- Ryan Bigg http://www.frozenplague.net --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Am 20.12.2007 um 12:24 schrieb Ryan Bigg:> Why would you store the current user''s ID in the URL anyway?http://127.0.0.1:3000/guests/1/bookings/new That''s the way rails does, or? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I would suggest installing the restful_authentication plugin
Once done one way of doing it is in the bookings controller add the
following filter
before_filter :login_required
And add a subsequent authorized? method to check if the url user_id
matches the current user, The code below checks the user is logged in
and is in the correct role.
def authorized?
logged_in? &&
(current_user.roles.in_role(''company'') or
current_user.roles.in_role(''admin''))
end
Jochen Kaechelin wrote:> Am 20.12.2007 um 12:24 schrieb Ryan Bigg:
>
>
>> Why would you store the current user''s ID in the URL anyway?
>>
>
> http://127.0.0.1:3000/guests/1/bookings/new
>
> That''s the way rails does, or?
>
>
> >
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
> That''s the way rails does, or? > > No, that''s not the way Rails should do something like that. It shouldstore it as a session variable. -- Ryan Bigg http://www.frozenplague.net --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Unless you''re nesting your routes, which in this case might make sense. --Jeremy On Dec 20, 2007 3:00 PM, Ryan Bigg <radarlistener-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > > That''s the way rails does, or? > > > > > No, that''s not the way Rails should do something like that. It should store > it as a session variable. > > > -- > Ryan Bigg > http://www.frozenplague.net > > > > >-- http://www.jeremymcanally.com/ My books: Ruby in Practice http://www.manning.com/mcanally/ My free Ruby e-book http://www.humblelittlerubybook.com/ My blogs: http://www.mrneighborly.com/ http://www.rubyinpractice.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---