I have created a 'admin' controller and all the necessary definitions and templates to delete, update and edit records and this is working OK, but how do I effectively restrict access to these defs' from all but the admin user (called admin)? Currently I am just using if statements within the defs' to check if it is the admin user logged in e.g; def index if (@session[:user].login == 'admin') #perform actions end end but this produces horrible error messages if accidentally navigated to. Is there a cleaner way of doing this? Thanks in advance. Alex.
on 2006-05-13 21:13
on 2006-05-14 01:33
You need to make use of filters, by using before_filter, and giving it a set of functions you'd like to filter. You can use the :except clause to filter everything but some function, typically index. Thanks.
on 2006-05-14 06:05
If you define an "authorize" function in the admin controller, you can use it to choose if the user is allowed to see the action they've requested. If you return true, they're authorized, false otherwise. For instance: def authorize session[:user].is_admin? end
on 2006-05-14 19:17
Bryan D. wrote: > If you define an "authorize" function in the admin controller, you can > use it to choose if the user is allowed to see the action they've > requested. If you return true, they're authorized, false otherwise. For > instance: > > def authorize > session[:user].is_admin? > end Hi, Thanks for the quick response, I was wondering if you could give me a more complete example with how to implement your idea with regards to protecting an 'index' function perhaps because I can't get it to work at all. Alex