How to secure controller functions per user

I’ve got an app running that uses acts as attachment.

Works well and i’ve secured an admin area and an owners area.

Trouble is I now need to secure each action to ensure that people can’t
just alter a url to edit another owners records. Any tips for doing
this…?

I have a concept of a logged in owner. @owner = current_owner.

Be grateful for any pointers, i’m looking for the simplest solution.

On Jan 1, 2008, at 10:32 PM, bingo bob wrote:

I have a concept of a logged in owner. @owner = current_owner.

Be grateful for any pointers, i’m looking for the simplest solution.

Don’t secure the controller method, secure the record. In a schema
where:

User :has_many Thingies

you can do:

current_user.thingies.find(params[:id])

Where current_user is typically instantiated by your authentication
filter. This effectively scopes the find only to those thingies that
belong to a particular user.

Thanks that’s fantastic. That sounds like a much more elegant idea, At
least this way I don’t have to worry about securing each and every
controller and additionally can control access in a single place.

One further point on this, I allow an “admin” (just a regular owner who
I specify by name) access to everything. Can you advise how I’d
implement that also?

On Jan 2, 2008, at 12:09 AM, bingo bob wrote:

Thanks that’s fantastic. That sounds like a much more elegant idea, At
least this way I don’t have to worry about securing each and every
controller and additionally can control access in a single place.

One further point on this, I allow an “admin” (just a regular owner
who
I specify by name) access to everything. Can you advise how I’d
implement that also?

Good question. Obviously, you are moving more toward an ACL or role-
based authentication system, so it’s not as simple as keeping people
out of each others’ data. If you created a habtm relationship instead
of has_many, your data records could belong to both the user-level
owner and also the admin. Just a thought.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs