Forum: Ruby on Rails Stop users accessing methods.

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Jeff J. (Guest)
on 2006-03-09 16:39
Hello all.

Is there a way to stop users from being able to access a controllers
methods without affecting the ability of other controllers to use them?

i.e

FooController
  def secret
    #Stuff
  end
end

BarController

  def index
   redirect_to :controller => 'foo', action => 'secret', :id => '007'
  end
end

But directly accessing the URL server.com/foo/secret/007

would return a "Not found" error?

It seems protected and private stop other controllers from accessing
methods. I just want to stop users. (Or more specifically "Outside"
requests not from a controller).

Is this possible in RoR?

Thanks

Jeff
Jeremy E. (Guest)
on 2006-03-09 20:33
(Received via mailing list)
On 3/9/06, Jeff J. <removed_email_address@domain.invalid> wrote:
> Is there a way to stop users from being able to access a controllers
> methods without affecting the ability of other controllers to use them?

You can use a before filter to control access to the controller's
action.  The way to do this securely is to authenticate the user
somehow and check the authentication in the before filter.

>
>   def index
>    redirect_to :controller => 'foo', action => 'secret', :id => '007'
>   end
> end
>
> But directly accessing the URL server.com/foo/secret/007
>
> would return a "Not found" error?

The only way to do this without authenticating users is checking the
HTTP_REFERER, but that is trivially forgible.  If security matters,
you should authenticate users and store the authentication information
in the session, and check that in the before filter.
Jeff J. (Guest)
on 2006-03-10 14:46
> The only way to do this without authenticating users is checking the
> HTTP_REFERER, but that is trivially forgible.  If security matters,
> you should authenticate users and store the authentication information
> in the session, and check that in the before filter.

Bugger, I was afraid of that. When I says "Users" in this case I just
mean people using the website. It has no actual user/security framework.

Thanks
Mark Reginald J. (Guest)
on 2006-03-10 15:51
(Received via mailing list)
Jeff J. wrote:

>
>
> It seems protected and private stop other controllers from accessing
> methods. I just want to stop users. (Or more specifically "Outside"
> requests not from a controller).
>
> Is this possible in RoR?

What I do for this is:

BarController
   def index
     flash[:from_bar] = true
     redirect_to :controller => 'foo', action => 'secret', :id => '007'
   end
end

FooController
   def secret
     unless flash[:from_bar]
       raise ::ActionController::UnknownAction, 'no direct access
permitted'
     end
     #Stuff
   end
end

--
We develop, watch us RoR, in numbers too big to ignore.
Jeff J. (Guest)
on 2006-03-14 19:48
>
> BarController
>    def index
>      flash[:from_bar] = true
>      redirect_to :controller => 'foo', action => 'secret', :id => '007'
>    end
> end
>
> FooController
>    def secret
>      unless flash[:from_bar]
>        raise ::ActionController::UnknownAction, 'no direct access
> permitted'
>      end
>      #Stuff
>    end
> end
>
> --
> We develop, watch us RoR, in numbers too big to ignore.

Oooohhh devious. Thanks very much. This isn't really as a security
implementation. Just to stop possibly silly curious users from messing
around.

Jeff
This topic is locked and can not be replied to.