Login_generator Restricting Specific Users


#1

I have created a ‘admin’ controller and all the necessary definitions
and templates to delete, update and edit records and this is working OK,
but how do I effectively restrict access to these defs’ from all but the
admin user (called admin)?

Currently I am just using if statements within the defs’ to check if it
is the admin user logged in e.g;

def index
if (@session[:user].login == ‘admin’)
#perform actions
end
end

but this produces horrible error messages if accidentally navigated to.
Is there a cleaner way of doing this?

Thanks in advance. Alex.


#2

If you define an “authorize” function in the admin controller, you can
use it to choose if the user is allowed to see the action they’ve
requested. If you return true, they’re authorized, false otherwise. For
instance:

def authorize
session[:user].is_admin?
end


#3

Bryan D. wrote:

If you define an “authorize” function in the admin controller, you can
use it to choose if the user is allowed to see the action they’ve
requested. If you return true, they’re authorized, false otherwise. For
instance:

def authorize
session[:user].is_admin?
end

Hi,

Thanks for the quick response, I was wondering if you could give me a
more complete example with how to implement your idea with regards to
protecting an ‘index’ function perhaps because I can’t get it to work at
all.

Alex


#4

You need to make use of filters, by using before_filter, and giving it a
set
of functions you’d like to filter. You can use the :except clause to
filter
everything but some function, typically index.

Thanks.