Before_filter order of execution

abraham · June 14, 2008, 12:11am

Hi

I’m trying to use before_filter to allow access to a site. Only logged
in users can view any object in the controller, but only users with a
access_level higher than 2 can view specific objects. My code is:

IN USER_CONTROLLER

before_filter :login_required
before_filter :access_granted, :only => [:destroy, :new , :edit]

IN APPLICATION.RB

def logged_in?
! @current_user.blank?
end
helper_method :logged_in?

def login_required
return true if logged_in?
session[:return_to] = request.request_uri
redirect_to :controller => “/account”, :action => “login” and return
false
end

def access_granted
if @current_user.blank?
return false
else
return (@current_user.access_level == 2)
end
end
helper_method :access_granted

Now the problem is, if you are not logged in, you can’t view anything.
But even if you are logged in and the method (:access_granted) returns
false(I’ve checked that this works), you can still access the object
new. I have to add that the framework was generated using a scaffold
generator.

Is the problem maybe the order in which rails executes the filters?

Thx for any help!

Abraham

abraham · June 14, 2008, 12:23am

I think instead of doing all that you could use roles , assign roles
whatever access and then authorize based on roles

That would make your job easy and also would keep your code clean.

just my 2 cents

On Fri, Jun 13, 2008 at 5:11 PM, Peet V. <

abraham · June 14, 2008, 3:51pm

On 13 Jun 2008, at 23:11, Peet V. wrote:

Now the problem is, if you are not logged in, you can’t view anything.
But even if you are logged in and the method (:access_granted) returns
false(I’ve checked that this works), you can still access the object
new. I have to add that the framework was generated using a scaffold
generator.

Filters changed in rails 2.0: the return value from them is ignored. A
filter stops the chain if and only if it redirects or renders something.

Fred

abraham · June 14, 2008, 9:54pm

Frederick C. wrote:

On 13 Jun 2008, at 23:11, Peet V. wrote:

Now the problem is, if you are not logged in, you can’t view anything.
But even if you are logged in and the method (:access_granted) returns
false(I’ve checked that this works), you can still access the object
new. I have to add that the framework was generated using a scaffold
generator.

Filters changed in rails 2.0: the return value from them is ignored. A
filter stops the chain if and only if it redirects or renders something.

Fred

Thx alot Fred!!! That really helped…