How to secure controller functions per user

Rails
1

I’ve got an app running that uses acts as attachment.

Works well and i’ve secured an admin area and an owners area.

Trouble is I now need to secure each action to ensure that people can’t
just alter a url to edit another owners records. Any tips for doing
this…?

I have a concept of a logged in owner. @owner = current_owner.

Be grateful for any pointers, i’m looking for the simplest solution.

2

On Jan 1, 2008, at 10:32 PM, bingo bob wrote:

I have a concept of a logged in owner. @owner = current_owner.

Be grateful for any pointers, i’m looking for the simplest solution.

Don’t secure the controller method, secure the record. In a schema
where:

User :has_many Thingies

you can do:

current_user.thingies.find(params[:id])

Where current_user is typically instantiated by your authentication
filter. This effectively scopes the find only to those thingies that
belong to a particular user.

3

Thanks that’s fantastic. That sounds like a much more elegant idea, At
least this way I don’t have to worry about securing each and every
controller and additionally can control access in a single place.

One further point on this, I allow an “admin” (just a regular owner who
I specify by name) access to everything. Can you advise how I’d
implement that also?

4

On Jan 2, 2008, at 12:09 AM, bingo bob wrote:

Thanks that’s fantastic. That sounds like a much more elegant idea, At
least this way I don’t have to worry about securing each and every
controller and additionally can control access in a single place.

One further point on this, I allow an “admin” (just a regular owner
who
I specify by name) access to everything. Can you advise how I’d
implement that also?

Good question. Obviously, you are moving more toward an ACL or role-
based authentication system, so it’s not as simple as keeping people
out of each others’ data. If you created a habtm relationship instead
of has_many, your data records could belong to both the user-level
owner and also the admin. Just a thought.