Im showing in the view a menu with just the options to certain user, ie:
<% if user = “admin” %>
<a href"/action/addcontent">Add content
<% end %>
and that works but if the user goes and directly writes in the address
bar myappurl/action/adcontent/TheContent that is valid and the rails app
processes it.
How i can avoid this? i mean, remome access to certain actions of the
rails app completely.
Check out before_filter. This allows you to call a method (or Proc) to
determine whether the code should continue running.
class MyController
before_filter :authenticate
def authenticate
# is ok? return true else return false
end
end
Also, check out the LoginEngine
(http://api.rails-engines.org/login_engine/),
a very comprehensive user authentication tool for Rails. Even if it’s
too
much for your app, it still has a lot of good ideas in it on how to do
just
this.
if the user goes and directly writes in the address
bar myappurl/action/adcontent/TheContent that is
valid and the rails app processes it.
How i can avoid this? i mean, remome access to
certain actions of the rails app completely.
Put a line
protected
in your controller.
Then put any controller methods that you don’t want to be available via
user
entered URL’s beneath that line. Anything below the ‘protected’ line
can
only be invoked from other methods in your app.
def verify_admin_user
user = session[:user_id}
user = User.find(user) if user
unless user && user.is_admin?
redirect_to :controller => ‘home’, :action => ‘index’
end
end
You need to define your is_admin method in your User model class.
How i can avoid this? i mean, remome access to certain actions of the