hi chaps. just want to check that i''m on the right lines with protecting resources in an app, the idea that only the resources owner can do stuff to it I figure there are only two steps I need (with authlogic), but I may be missing stuff 1st is a check authorised before filter, which just checks that a valid user is logged in that before filter is on all the actions that need protecting the 2nd step is to change the default find method in the controller from this type of thing @thing Thing.find(params[:id]) to this ... @thing current_user.things.find(params[:id]) am I on the right lines ? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Anybody? Are there further steps required? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
I''m doing it just like you described above. However I would like to hear some more opinions on that as well. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Heinz Strunk wrote:> I''m doing it just like you described above. However I would like to hear > some more opinions on that as well.That''s really good to know - a slight twist on it could be that I have seen people DRY it up and include more sophistication on the find by using a before filter for that too, then I could perhaps find only the users things but if the user is an admin, allow the admin to find anything (or edit or destroy anything). Trying to make sure I don''t miss anything before implementing. The thing is the initial check will only check that there''s a logged in user though, not a particular user. Then the find part is important as it would always limit the "things" that can be found to the things that the current_user owns. These are the typical two steps? Correct? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.