Prevent users from entering urls

How could I make it so that links on my page could link to a controllers
action, but if the user manually entered the url, it would redirect them
back to the main page? Is this possible?

Thank you,
-Ben L.

On 7/25/06, Ben L. [email protected] wrote:

How could I make it so that links on my page could link to a controllers
action, but if the user manually entered the url, it would redirect them
back to the main page? Is this possible?

How about using a session? I didn’t try it, but maybe this would work:

module ActionView
module Helpers
module UrlHelper
def link_to(name, options = {}, html_options = nil,
parameters_for_method_reference)
super
session[:to_url] = options
end
end
end
end

Then in your controller you could do a before_filter or something with
a method to check that the URL matches the to_url and wipe it out of
the session. Or you could just check the HTTP Referrer, but that can
be spoofed.

Michael S.

Couldn’t you just check HTTP_REFERER? If it’s defined, you could do some
regex on it to make sure that they made it there from a link inside your
application. Unless I’m mistaken, a manually entered URL doesn’t have a
referrer.

Sorry I can’t be more specific with code… I’m at my day job :wink:

Matt

Add a parameter to the link that is a SHA1/MD5/combo
crypto hash of a random value stored in their session.

thanks guys for your responses. Erza, great idea with return
redirect_to :controller => ‘go_away’ unless request.xhr?. That’s
what I’m usin’ :wink:

-Ben

On 7/25/06, Matt W. [email protected] wrote:

Couldn’t you just check HTTP_REFERER? If it’s defined, you could do some
regex on it to make sure that they made it there from a link inside your
application. Unless I’m mistaken, a manually entered URL doesn’t have a
referrer.

The problem, as I mentioned, is that HTTP_REFERER is given to the
server through the request header (usually by a browser). Because of
this, it isn’t very difficult to insert a fake referrer. An example of
how to do this from
http://ow.bbclone.de/2005/11/20/know-your-enemy-how-to-simulate-fake-connections/
:

[[email protected] ~]$ wget -q -U “Mozilla/5.0 (Java 1.5.0_05; Windows
XP 5.1 x86; en) ICEbrowser/v6_0_2” --header=“X-Forwarded-For:
192.168.0.1” -i="/home/me/server-list.txt"
–referer=“http://www.example.org/adipexanax/buy-adipexanax-now.html
-O /dev/null

As far as the server concerned, that user came from
http://www.example.org/adipexanax/buy-adipexanax-now.html which is
obviously not the case.

If you do still want to use HTTP_REFERER, you can just access
request.env[“HTTP_REFERER”]

I would like to know because in my app, I have a main view. it’s
called Headline. Headline view is always displayed, and there’s a
div in it called Content. Whenever the user clicks on the nav menu
to change to different sections, it just calls another controllers
action and throws it into the Content div. I wanted to be able to
show a little loading spinner while the user navigates around the
site, no matter what they do. Thus, I have the loading spinner in
the nav menu of the Headline controller, and I do ajax updates of
Content to load the various pages.

The reason why i don’t want them to manually enter in URL’s is
because then they would load the page without the Headline Nav menu
stuff. So there’s no real security reason, just aesthetics.

Also, since I’m still a newbie to Rails, I’d like to know if what I’m
doing is a bad idea for some reason or another.

Thanks,
Ben L.

Well this does seem a bit tricky. I wonder if you can use hide_action
to
hide the controllers/actions but still make them callable via your
links? I
would guess so if you are using link_to_remote, but that is a guess.

How could I make it so that links on my page could link to a controllers

action, but if the user manually entered the url, it would redirect them
back to the main page? Is this possible?

I was just curious as to why you would need to this? Security reasons?
What
if someone bookmarked that page?

On Jul 25, 2006, at 8:26 PM, Ben L. wrote:

The reason why i don’t want them to manually enter in URL’s is
because then they would load the page without the Headline Nav menu
stuff. So there’s no real security reason, just aesthetics.

Also, since I’m still a newbie to Rails, I’d like to know if what
I’m doing is a bad idea for some reason or another.

Thanks,
Ben L.

Ben manually entered url’s will make a get request. Your ajax actions
will use an xmlhttprequest. You can check for these and redirect to
the proper place if the request is not an ajax request. Its not fool
proof as you can craft a request to look like an ajax requests. But
is it important enough to do any more then this?

def ajax_action
return redirect_to :controller => ‘go_away’ unless request.xhr?
# if it makes it here its an ajax request and not one a user
typed into their browser.
end

-Ezra

I would like to know because in my app, I have a main view. it’s
called Headline. Headline view is always displayed, and there’s a
div in it called Content. Whenever the user clicks on the nav menu
to change to different sections, it just calls another controllers
action and throws it into the Content div. I wanted to be able to
show a little loading spinner while the user navigates around the
site, no matter what they do. Thus, I have the loading spinner in
the nav menu of the Headline controller, and I do ajax updates of
Content to load the various pages.

The reason why i don’t want them to manually enter in URL’s is
because then they would load the page without the Headline Nav menu
stuff. So there’s no real security reason, just aesthetics.

Also, since I’m still a newbie to Rails, I’d like to know if what I’m
doing is a bad idea for some reason or another.

Thanks,
Ben L.

cool, thanks

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs