I’ve got an app running that uses acts as attachment.
Works well and i’ve secured an admin area and an owners area.
Trouble is I now need to secure each action to ensure that people can’t
just alter a url to edit another owners records. Any tips for doing
this…?
I have a concept of a logged in owner. @owner = current_owner.
Be grateful for any pointers, i’m looking for the simplest solution.
On Jan 1, 2008, at 10:32 PM, bingo bob wrote:
I have a concept of a logged in owner. @owner = current_owner.
Be grateful for any pointers, i’m looking for the simplest solution.
Don’t secure the controller method, secure the record. In a schema
where:
User :has_many Thingies
you can do:
current_user.thingies.find(params[:id])
Where current_user is typically instantiated by your authentication
filter. This effectively scopes the find only to those thingies that
belong to a particular user.
Thanks that’s fantastic. That sounds like a much more elegant idea, At
least this way I don’t have to worry about securing each and every
controller and additionally can control access in a single place.
One further point on this, I allow an “admin” (just a regular owner who
I specify by name) access to everything. Can you advise how I’d
implement that also?
On Jan 2, 2008, at 12:09 AM, bingo bob wrote:
Thanks that’s fantastic. That sounds like a much more elegant idea, At
least this way I don’t have to worry about securing each and every
controller and additionally can control access in a single place.
One further point on this, I allow an “admin” (just a regular owner
who
I specify by name) access to everything. Can you advise how I’d
implement that also?
Good question. Obviously, you are moving more toward an ACL or role-
based authentication system, so it’s not as simple as keeping people
out of each others’ data. If you created a habtm relationship instead
of has_many, your data records could belong to both the user-level
owner and also the admin. Just a thought.