Example model: demo --app ----Controllers ------application_controler.rb ------demos_controller.rb ----Models ------demo.rb ----Views ------demos --------index.html.erb (I want to keep this) --------edit.html.erb (delete) --------new.html.erb (delete) --------show.html.erb (delete) http://localhost:3000/demos/new (should not be a route) http://localhost:3000/demos/edit (should not be a route) http://localhost:3000/demos/show (should not be a route) I tried to create a new route: map.connect "*anything", :controller => ''rushing_offenses'', :action => ''request_error'' .. and built an request_error.html.erb file so that if anyone tried to go elsewhere while within that controller it would toss them to the request_error.html.erb file (but that''s not working) I was trying to find more about RESTful routes but I''m just not finding what I''m looking for. Any help would be appreciated.. Thanks. -- Posted via http://www.ruby-forum.com/.
I believe the easiest way I could find was: map.connect "rushing_offenses/*anything", :controller => ''rushing_offenses'', :action => ''index'' .. which meant anything after http://localhost:3000/rushing_offenses/..... .. would automatically redirect back to the index for rushing_offenses But, is this a bad thing to do this? I basically don''t want anyone to be able to access new/delete/edit/update etc.. for specific model controllers. The model controllers I''m referring to are those that just are available for viewing.. I have the following in for generic error handling/requests : # Index Page map.root :controller => ''page'' map.connect "*anything", :controller => ''page'', :action => ''request_error'' So, when they enter anything that doesn''t below to a particular controller or an invalid page they get redirected to a request_error page. This handles invalid URLs on my site. I understand that RESTful automatically creates the default views to provide stateless viewing. In some cases, I just don''t see the need for those particular views. Again, I would appreciate a response from anyone who understands what I''m trying to do and to provide a best practices method to ensure I''m doing this process properly. -- Posted via http://www.ruby-forum.com/.
Yes, this is very bad, if there''s no "edit", "update" or "destroy" in your controller Rails will just send a 404 back to the browser, it won''t do anything like letting your user do something you haven''t programmed yourself. Routing is just **routing**, it''s all about sending a message, it doesn''t guarantee that there''s someone on the other side to receive it. - Maurício Linhares http://codeshooter.wordpress.com/ | http://twitter.com/mauriciojr On Sat, Jun 13, 2009 at 6:50 PM, Älphä Blüë<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > I believe the easiest way I could find was: > > map.connect "rushing_offenses/*anything", :controller => > ''rushing_offenses'', :action => ''index'' > > .. which meant anything after > http://localhost:3000/rushing_offenses/..... > > .. would automatically redirect back to the index for rushing_offenses > > But, is this a bad thing to do this? > > I basically don''t want anyone to be able to access > new/delete/edit/update etc.. for specific model controllers. The model > controllers I''m referring to are those that just are available for > viewing.. > > I have the following in for generic error handling/requests : > > # Index Page > map.root :controller => ''page'' > map.connect "*anything", :controller => ''page'', :action => > ''request_error'' > > So, when they enter anything that doesn''t below to a particular > controller or an invalid page they get redirected to a request_error > page. This handles invalid URLs on my site. > > I understand that RESTful automatically creates the default views to > provide stateless viewing. In some cases, I just don''t see the need for > those particular views. > > Again, I would appreciate a response from anyone who understands what > I''m trying to do and to provide a best practices method to ensure I''m > doing this process properly. > -- > Posted via http://www.ruby-forum.com/. > > > >
Maurício Linhares wrote:> Yes, this is very bad, if there''s no "edit", "update" or "destroy" in > your controller Rails will just send a 404 back to the browser, it > won''t do anything like letting your user do something you haven''t > programmed yourself.So, how do you block these specific actions? Do I have to force those specific actions to the index? For instance, anyone that types http://mydomain.com/rushing_offenses/new .. can access the new template .. I shouldn''t have to edit the new.html.erb file to empty it out to fix this.. I just don''t understand how this type of routing is supposed to be handled for cases where I simply don''t want "anyone" accessing those items.. Also, if a user clicks on a link beyond the controller parameter: http://mydomain.com/rushing_offenses/goo (for instance) the following error is returned on my screen: ActiveRecord::RecordNotFound in Rushing offensesController#show I don''t want errors like this to show for anyone. Is this just a development error response and not one that shows up in production? Thanks again. -- Posted via http://www.ruby-forum.com/.
On Sat, Jun 13, 2009 at 7:05 PM, Älphä Blüë<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Maurício Linhares wrote: >> Yes, this is very bad, if there''s no "edit", "update" or "destroy" in >> your controller Rails will just send a 404 back to the browser, it >> won''t do anything like letting your user do something you haven''t >> programmed yourself. > > So, how do you block these specific actions? > > Do I have to force those specific actions to the index? > > For instance, anyone that types http://mydomain.com/rushing_offenses/new > > .. can access the new template .. > > I shouldn''t have to edit the new.html.erb file to empty it out to fix > this.. > > I just don''t understand how this type of routing is supposed to be > handled for cases where I simply don''t want "anyone" accessing those > items.. >Read about before_filters and how you can deny access to actions for unauthorized users. You should definitely get a Rails book and read it instead of just trying to force you way with the framework and the language. Will avoid most of the common questions you''re having. The best one around now is this -> http://www.pragprog.com/titles/rails3/agile-web-development-with-rails-third-edition> Also, if a user clicks on a link beyond the controller parameter: > > http://mydomain.com/rushing_offenses/goo (for instance) the following > error is returned on my screen: > > ActiveRecord::RecordNotFound in Rushing offensesController#show > > I don''t want errors like this to show for anyone. Is this just a > development error response and not one that shows up in production? >That''s not the error the user will see in production. For this specific error the page under public/500.html will be shown, this is a development message only. - Maurício Linhares http://codeshooter.wordpress.com/ | http://twitter.com/mauriciojr
On Jun 13, 11:05 pm, "Älphä Blüë" <rails-mailing-l...@andreas-s.net> wrote:> Maurício Linhares wrote: > > Yes, this is very bad, if there''s no "edit", "update" or "destroy" in > > your controller Rails will just send a 404 back to the browser, it > > won''t do anything like letting your user do something you haven''t > > programmed yourself. > > So, how do you block these specific actions? >map.resources takes :only/:except options if you don''t want certain things to be routed. You also delete the new template and action.> Also, if a user clicks on a link beyond the controller parameter: > > http://mydomain.com/rushing_offenses/goo(for instance) the following > error is returned on my screen: > > ActiveRecord::RecordNotFound in Rushing offensesController#show > > I don''t want errors like this to show for anyone. Is this just a > development error response and not one that shows up in production?in production typically users just see a generic ''something went wrong'' page. if you want something different you can rescue the exception and show something appropriate. Fred> > Thanks again. > > -- > Posted viahttp://www.ruby-forum.com/.
thanks again mate - I have that book - it was my next book to read. I guess I''ll get to it sooner that I expected.. Thanks for the clarification on the errors - I figured it was only what I was seeing in development.. -- Posted via http://www.ruby-forum.com/.
map resources :only worked fine. I''ll still look into the other suggestions and catch up on some reading. Again, I appreciate the help. I love reading but at the same time I love doing. I''ll start two chapters and then my mind drifts and says ooh that''s a good idea.. and I try new things.. Thanks for helping me out with some of my newbish questions. -- Posted via http://www.ruby-forum.com/.
2009/6/13 Älphä Blüë <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>:> ... > I basically don''t want anyone to be able to access > new/delete/edit/update etc.. for specific model controllers. The model > controllers I''m referring to are those that just are available for > viewing.. >If you really don''t want any access to new/delete etc then you can just remove these actions from the controller and delete the view erb files for those actions. Colin