Hi, I just have a "best practices" question. I''d like to block users that don''t own a particular resource from performing edit/update/ destroy actions on it. Here''s how I currently do it: ## User has many resources, of different types ------- resource_controller.rb ------- before_filter :require_ownership, :only => [:edit, :update, :destroy] ... public actions ... protected def require_ownership @resource = Resource.find(params[:id]) redirect_to_somewhere unless owns?(@resource) end ------- application.rb ------- def owns?(resource) resource.user_id == @current_user.id end ... And I apply this before_filter in the controller of any resource I''d like to restrict in a similar way. I''m new to Rails and MVC so I''m just wondering whether this is the best way of accomplishing this, or if a different method is recommended. Thanks in advance! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
MaurĂcio Linhares
2008-Dec-19 20:17 UTC
Re: Recommended way of restricting action permissions?
The simpler way is just search the user resources when performing an edit/update/delete. like this: def edit @resource = @user.resources.find(params[:id]) end This way you can be sure that the user will not be able to select a resource that doesn''t belong to him. - MaurĂcio Linhares http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/ (en) On Fri, Dec 19, 2008 at 5:14 PM, Lisa Klein <lisaklein20-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Hi, I just have a "best practices" question. I''d like to block users > that don''t own a particular resource from performing edit/update/ > destroy actions on it. Here''s how I currently do it: > > ## User has many resources, of different types > > ------- resource_controller.rb ------- > > before_filter :require_ownership, :only => [:edit, :update, :destroy] > > ... public actions ... > > protected > > def require_ownership > @resource = Resource.find(params[:id]) > redirect_to_somewhere unless owns?(@resource) > end > > ------- application.rb ------- > > def owns?(resource) > resource.user_id == @current_user.id > end > > ... And I apply this before_filter in the controller of any resource > I''d like to restrict in a similar way. I''m new to Rails and MVC so > I''m just wondering whether this is the best way of accomplishing this, > or if a different method is recommended. > > Thanks in advance! > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ms. Klein, I handle that situation very similarly with the only disparity being where ownership is determined. In my opinion the object itself should know nothing about @current_user, whereas the application can know about Resource.user. I also tend to alias methods in my resources, like so def self.owner self.user end Then I insure that every object has some owner alias if it is to be restricted, and in my :require_ownership before_filter, I do the following: def require_ownership if @resource.owner == @current.user ... end The end effect is the same, but this allows the resource to be used intact in another application without modification, regardless of @current_user in the other application. Just of matter of who knows what about whom. Otherwise, unless someone can suggest a better method for us both, I personally think you''re on the right track. Cheers, Darrik Mazey Lisa Klein wrote:> Hi, I just have a "best practices" question. I''d like to block users > that don''t own a particular resource from performing edit/update/ > destroy actions on it. Here''s how I currently do it: > > ## User has many resources, of different types > > ------- resource_controller.rb ------- > > before_filter :require_ownership, :only => [:edit, :update, :destroy] > > ... public actions ... > > protected > > def require_ownership > @resource = Resource.find(params[:id]) > redirect_to_somewhere unless owns?(@resource) > end > > ------- application.rb ------- > > def owns?(resource) > resource.user_id == @current_user.id > end > > ... And I apply this before_filter in the controller of any resource > I''d like to restrict in a similar way. I''m new to Rails and MVC so > I''m just wondering whether this is the best way of accomplishing this, > or if a different method is recommended. > > Thanks in advance! > > >-- Darrik Mazey Developer DMT Programming, LLC. P.O. Box 91 Torrington, CT 06790 office: 330.983.9941 fax: 330.983.9942 mobile: 330.808.2025 darrik-hYmAEBE3lWIoJ/VrfD3uVNBPR1lH4CV8@public.gmane.org To obtain my public key, send an email to darrik-3ZOItiUs85ODFug2jf9dzoDEJ8dgO5X3FNOCUTQkUI4@public.gmane.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks a lot for the replies! I guess I kind of prefer the before_filter method a little bit because then I don''t have to replicate the redirect_if_not_found logic in each restricted action. Thanks again! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---