I''ve got an app running that uses acts as attachment. Works well and i''ve secured an admin area and an owners area. Trouble is I now need to secure each action to ensure that people can''t just alter a url to edit another owners records. Any tips for doing this....? I have a concept of a logged in owner. @owner = current_owner. Be grateful for any pointers, i''m looking for the simplest solution. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jan 1, 2008, at 10:32 PM, bingo bob wrote:> > > I''ve got an app running that uses acts as attachment. > > Works well and i''ve secured an admin area and an owners area. > > Trouble is I now need to secure each action to ensure that people > can''t > just alter a url to edit another owners records. Any tips for doing > this....? > > I have a concept of a logged in owner. @owner = current_owner. > > Be grateful for any pointers, i''m looking for the simplest solution. > --Don''t secure the controller method, secure the record. In a schema where: User :has_many Thingies you can do: current_user.thingies.find(params[:id]) Where current_user is typically instantiated by your authentication filter. This effectively scopes the find only to those thingies that belong to a particular user. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks that''s fantastic. That sounds like a much more elegant idea, At least this way I don''t have to worry about securing each and every controller and additionally can control access in a single place. One further point on this, I allow an "admin" (just a regular owner who I specify by name) access to everything. Can you advise how I''d implement that also? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jan 2, 2008, at 12:09 AM, bingo bob wrote:> Thanks that''s fantastic. That sounds like a much more elegant idea, At > least this way I don''t have to worry about securing each and every > controller and additionally can control access in a single place. > > One further point on this, I allow an "admin" (just a regular owner > who > I specify by name) access to everything. Can you advise how I''d > implement that also?Good question. Obviously, you are moving more toward an ACL or role- based authentication system, so it''s not as simple as keeping people out of each others'' data. If you created a habtm relationship instead of has_many, your data records could belong to both the user-level owner and also the admin. Just a thought. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---