Hi,
I am working on a RESTful website and also want to support XML as
content type. However, I want to protect all XML actions with OAuth so
that we can control, monitor and maybe limit access to the API in the
future.
I installed the Rails oauth-plugin which works perfectly. I added this
to the application controller:
before_filter :require_oauth_for_xml_requests
def require_oauth_for_xml_requests
if params[:format] == ''xml''
oauth_required
else
true
end
end
The problem is that this only works if accessing something like
''/users.xml''. If HTTP headers are set instead I cannot detect
the proper
type. The action is not protected if I use:
curl -H ''Accept: application/xml'' -H ''Content-Type:
application/xml''
''http://localhost:3000/users''
The HTTP headers can be inspected in the request object but there are
many combinations and it is probably not a good idea to just check if
the content-type equals "application/xml" as it can also be placed at
another position in the list.
How could my require_oauth_for_xml_requests method be fixed to detect
all XML requests?
I would appreciate any help.
Thanks,
Sascha
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
Sure... and it''s reasonable to figure out why that''s not working for you - params[:format] is just whatever''s in the querystring. You want to check the actual request''s content type. From what I''ve seen you want to explicitly ask for the requested format. def require_oauth_for_xml_requests if request.format.xml? oauth_required else true end end See if that works. On Thu, Jul 24, 2008 at 5:01 AM, Sascha Konietzke < rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Hi, > > I am working on a RESTful website and also want to support XML as > content type. However, I want to protect all XML actions with OAuth so > that we can control, monitor and maybe limit access to the API in the > future. > > I installed the Rails oauth-plugin which works perfectly. I added this > to the application controller: > > > before_filter :require_oauth_for_xml_requests > > def require_oauth_for_xml_requests > if params[:format] == ''xml'' > oauth_required > else > true > end > end > > The problem is that this only works if accessing something like > ''/users.xml''. If HTTP headers are set instead I cannot detect the proper > type. The action is not protected if I use: > > curl -H ''Accept: application/xml'' -H ''Content-Type: application/xml'' > ''http://localhost:3000/users'' > > The HTTP headers can be inspected in the request object but there are > many combinations and it is probably not a good idea to just check if > the content-type equals "application/xml" as it can also be placed at > another position in the list. > > How could my require_oauth_for_xml_requests method be fixed to detect > all XML requests? > > I would appreciate any help. > > Thanks, > Sascha > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks Brian, it works. This is was what I was looking for! -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---