Hi Everyone. I am working on my first Ruby on Rails app. It is a basic project management application. I have user login/logout functionality set up. It will only display a list of projects that are linked to the logged in user. However, if someone else logs in and types in a url such as www.projectmanagement.com/projects/17 (where 17 is a project id), they will be able to see that project even if they are not linked to it. What is the best design approach to this problem? Thank you for any advice!!! Nathan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2008-Sep-24 20:37 UTC
Re: How to restrict viewing/modifying other users data?
On Sep 24, 8:57 pm, Nathan <ngilmore...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi Everyone. I am working on my first Ruby on Rails app. It is a > basic project management application. I have user login/logout > functionality set up. It will only display a list of projects that > are linked to the logged in user. However, if someone else logs in > and types in a url such aswww.projectmanagement.com/projects/17 > (where 17 is a project id), they will be able to see that project even > if they are not linked to it. What is the best design approach to > this problem? >Instead of doing Project.find do current_user.projects.find This restricts the find to projects owned by that user. Fred> Thank you for any advice!!! > > Nathan--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I would think a simple before_filter would work for you that would require a login before those projects could be viewed. Once they login, they would only be able to see the projects that they are assigned to. Your before_filter would be placed up top in the controller for projects. Something like this.... before_filter :login_required, :only => [:new, :create, :edit, :update] Then you could add all of the other actions that required a login as well such as :show, :add, :edit, :delete, etc., etc. I am certainly no Rails genius yet, but I think this would work for you. --Cory On Sep 24, 3:57 pm, Nathan <ngilmore...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi Everyone. I am working on my first Ruby on Rails app. It is a > basic project management application. I have user login/logout > functionality set up. It will only display a list of projects that > are linked to the logged in user. However, if someone else logs in > and types in a url such aswww.projectmanagement.com/projects/17 > (where 17 is a project id), they will be able to see that project even > if they are not linked to it. What is the best design approach to > this problem? > > Thank you for any advice!!! > > Nathan--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Actually, nevermind. Frederick posted exactly what I was coming back to post! --Cory On Sep 24, 4:39 pm, CPerry <c...-jEJZ73ctDLTqlBn2x/YWAg@public.gmane.org> wrote:> I would think a simple before_filter would work for you that would > require a login before those projects could be viewed. Once they > login, they would only be able to see the projects that they are > assigned to. > > Your before_filter would be placed up top in the controller for > projects. > > Something like this.... > > before_filter :login_required, :only => > [:new, :create, :edit, :update] > > Then you could add all of the other actions that required a login as > well such as :show, :add, :edit, :delete, etc., etc. I am certainly no > Rails genius yet, but I think this would work for you. > > --Cory > > On Sep 24, 3:57 pm, Nathan <ngilmore...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > Hi Everyone. I am working on my first Ruby on Rails app. It is a > > basic project management application. I have user login/logout > > functionality set up. It will only display a list of projects that > > are linked to the logged in user. However, if someone else logs in > > and types in a url such aswww.projectmanagement.com/projects/17 > > (where 17 is a project id), they will be able to see that project even > > if they are not linked to it. What is the best design approach to > > this problem? > > > Thank you for any advice!!! > > > Nathan--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Great! Thank you for the advice. I had thought of doing the before_filter, but was not sure if that was the best way to go. Also, I like the "current_user.projects.find" idea. Thanks again! Nathan On Sep 24, 4:41 pm, CPerry <c...-jEJZ73ctDLTqlBn2x/YWAg@public.gmane.org> wrote:> Actually, nevermind. Frederick posted exactly what I was coming back > to post! > > --Cory > > On Sep 24, 4:39 pm, CPerry <c...-jEJZ73ctDLTqlBn2x/YWAg@public.gmane.org> wrote: > > > I would think a simple before_filter would work for you that would > > require a login before those projects could be viewed. Once they > > login, they would only be able to see the projects that they are > > assigned to. > > > Your before_filter would be placed up top in the controller for > > projects. > > > Something like this.... > > > before_filter :login_required, :only => > > [:new, :create, :edit, :update] > > > Then you could add all of the other actions that required a login as > > well such as :show, :add, :edit, :delete, etc., etc. I am certainly no > > Rails genius yet, but I think this would work for you. > > > --Cory > > > On Sep 24, 3:57 pm, Nathan <ngilmore...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > Hi Everyone. I am working on my first Ruby on Rails app. It is a > > > basic project management application. I have user login/logout > > > functionality set up. It will only display a list of projects that > > > are linked to the logged in user. However, if someone else logs in > > > and types in a url such aswww.projectmanagement.com/projects/17 > > > (where 17 is a project id), they will be able to see that project even > > > if they are not linked to it. What is the best design approach to > > > this problem? > > > > Thank you for any advice!!! > > > > Nathan--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---