should a user''s home page be invoked by a show then id => meaning / show/id(of user)?? when they log into the application? because it would be easy for another user to use /show/3 to access of another user. Whats the normal procedure when a user logs into your app to get to his account page? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
you store the id of the logged in user in the session. then on the personal show page you only use the id stored in the session to access his/her data. You can use singular resources for the user, then you do not even need to use the id in the url map.resource :user instead of map.resources :user will allow for that. thin in the controller: @user = User.find(session[:user_id]) and all data related by the user only from associations (eg he has orders) @user.orders.each dp |order| That''s roughly how to use Rails to make sure, nobody can access data that''s not his own --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
tyliong wrote:> should a user''s home page be invoked by a show then id => meaning / > show/id(of user)?? when they log into the application? because it > would be easy for another user to use /show/3 to access of another > user. > > Whats the normal procedure when a user logs into your app to get to > his account page?It would be very easy, but that is why you do validation checking. For example, im my controller I not only save a session variable with the users id but also I have a before_filter that checks the users.id with the session[:id] value, if they don''t match the user gets kicked off or back to a login page. -S -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
thanks i''ll try it out once i have the chance On Aug 26, 10:08 pm, Shandy Nantz <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> tyliong wrote: > > should a user''s home page be invoked by a show then id => meaning / > > show/id(of user)?? when they log into the application? because it > > would be easy for another user to use /show/3 to access of another > > user. > > > Whats the normal procedure when a user logs into your app to get to > > his account page? > > It would be very easy, but that is why you do validation checking. For > example, im my controller I not only save a session variable with the > users id but also I have a before_filter that checks the users.id with > the session[:id] value, if they don''t match the user gets kicked off or > back to a login page. > > -S > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---