How to restrict access to admin part of the page?


#1

Hi!

What is the easiest way to restrict access to some part of the page?
In php i just put .htaccess and .htpasswd files in /admin folder and it
worked.
Now i’ve got one admin folder for controllers, one for views, public
folder and i’m not really sure if it’s still possible. So what is the
easiest way? I don’t have any user logging features on my site, because
i don’t need them. I want only to restric access to admin area.


#2

On 3/9/06, szymek removed_email_address@domain.invalid wrote:

I don’t have any user logging features on my site, because
i don’t need them. I want only to restric access to admin area.

I’m not sure I follow you here. You want to restrict it to certain
users, so
it seems to me that you need some kind of user-tracking - or how do you
know
who your user is?

In any case: I’d create (or copy) a login controller, then add a
before_filter to the controller for areas you want to restrict.

– Joshua


#3

Well, you’re right, i wasn’t very clear about it.

On php sites i had separate folder admin for all administration pages. I
just put there .htaccess and .htpasswd files which forced user to log to
gain access to this folder and all pages within it. That’s it. I didn’t
write any line of logging code (if i didn’t need it of course).

Is it possible to do the same - restrict access using just .htaccess and
.htpasswd files instead of creating login controller and write a code?


#4

Thanks!

I’ll probably choose acts_as_authenticated as it looks simpler.

However it still would be much simpler to create 2 small files, than
installing new plugin and creating new ‘users’ table, which will have
only 1 user :slight_smile:


#5

On 3/9/06, szymek removed_email_address@domain.invalid wrote:

Well, you’re right, i wasn’t very clear about it.

On php sites i had separate folder admin for all administration pages. I
just put there .htaccess and .htpasswd files which forced user to log to
gain access to this folder and all pages within it. That’s it. I didn’t
write any line of logging code (if i didn’t need it of course).

Is it possible to do the same - restrict access using just .htaccess and
.htpasswd files instead of creating login controller and write a code?

It’s outstandingly simple to add authentication to an existing Rails
app. Check out acts_as_authenticated and/or LoginEngine for a couple
of the many options available.

http://wiki.rubyonrails.com/rails/pages/Acts_as_authenticated
http://rails-engines.org/login_engine

– James


#6

Maybe you’re right about writing my own very simple login controller.

It would be probably faster using ruby, than installing and configuring
the plugin :slight_smile:

Is it a huge security hole if i put username/(encoded)password inside my
controller?


#7

On 3/9/06, szymek removed_email_address@domain.invalid wrote:

However it still would be much simpler to create 2 small files, than
installing new plugin and creating new ‘users’ table, which will have only 1
user :slight_smile:

  1. In many cases, yes, but not all (especially shared) hosts allow
    .htaccess
    files, even for authentication.

  2. It’s not necessary to install a plugin, nor to create a users
    table.
    Those are alternatives to writing your own login controller.


#8

On 3/9/06, szymek removed_email_address@domain.invalid wrote:

Is it a huge security hole if i put username/(encoded)password inside my
controller?

In general? I don’t think it’s a huge security hole.