Hi Everyone. I am working on my first Ruby on Rails app. It is a
basic project management application. I have user login/logout
functionality set up. It will only display a list of projects that
are linked to the logged in user. However, if someone else logs in
and types in a url such as www.projectmanagement.com/projects/17
(where 17 is a project id), they will be able to see that project even
if they are not linked to it. What is the best design approach to
this problem?
Hi Everyone. I am working on my first Ruby on Rails app. It is a
basic project management application. I have user login/logout
functionality set up. It will only display a list of projects that
are linked to the logged in user. However, if someone else logs in
and types in a url such aswww.projectmanagement.com/projects/17
(where 17 is a project id), they will be able to see that project even
if they are not linked to it. What is the best design approach to
this problem?
Instead of doing Project.find do current_user.projects.find
This restricts the find to projects owned by that user.
I would think a simple before_filter would work for you that would
require a login before those projects could be viewed. Once they
login, they would only be able to see the projects that they are
assigned to.
Your before_filter would be placed up top in the controller for
projects.
Then you could add all of the other actions that required a login as
well such as :show, :add, :edit, :delete, etc., etc. I am certainly no
Rails genius yet, but I think this would work for you.
Great! Thank you for the advice. I had thought of doing the
before_filter, but was not sure if that was the best way to go. Also,
I like the “current_user.projects.find” idea.