How to hide non permited actions?

Im showing in the view a menu with just the options to certain user, ie:

<% if user = “admin” %>
<a href"/action/addcontent">Add content
<% end %>

and that works but if the user goes and directly writes in the address
bar myappurl/action/adcontent/TheContent that is valid and the rails app
processes it.

How i can avoid this? i mean, remome access to certain actions of the
rails app completely.

Check out before_filter. This allows you to call a method (or Proc) to
determine whether the code should continue running.

class MyController
before_filter :authenticate

def authenticate
# is ok? return true else return false
end
end

Also, check out the LoginEngine
(http://api.rails-engines.org/login_engine/),
a very comprehensive user authentication tool for Rails. Even if it’s
too
much for your app, it still has a lot of good ideas in it on how to do
just
this.

Jason

Hi Ana,

Ana wrote:

if the user goes and directly writes in the address
bar myappurl/action/adcontent/TheContent that is
valid and the rails app processes it.

How i can avoid this? i mean, remome access to
certain actions of the rails app completely.

Put a line

protected

in your controller.

Then put any controller methods that you don’t want to be available via
user
entered URL’s beneath that line. Anything below the ‘protected’ line
can
only be invoked from other methods in your app.

hth,
Bill

class HomeController < ApplicationController
**

  • before_filter :verify_admin_user*

def verify_admin_user
user = session[:user_id}
user = User.find(user) if user
unless user && user.is_admin?
redirect_to :controller => ‘home’, :action => ‘index’
end
end

You need to define your is_admin method in your User model class.

How i can avoid this? i mean, remome access to certain actions of the

Im showing in the view a menu with just the options to certain user, ie:

<% if user = “admin” %>
<a href"/action/addcontent">Add content
<% end %>

Hope you meant “==” cause the above will always be true as it’s
assigning
“admin” to the user variable… so everyone is going to see that link.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs