hi chaps. just want to check that i’m on the right lines with protecting
resources in an app, the idea that only the resources owner can do stuff
to it I figure there are only two steps I need (with authlogic), but I
may be missing stuff 1st is a check authorised before filter, which just
checks that a valid user is logged in that before filter is on all the
actions that need protecting the 2nd step is to change the default find
method in the controller from this type of thing @thing =
Thing.find(params[:id]) to this … @thing =
current_user.things.find(params[:id])
am I on the right lines ?
I’m doing it just like you described above. However I would like to hear
some more opinions on that as well.
Anybody? Are there further steps required?
Heinz S. wrote:
I’m doing it just like you described above. However I would like to hear
some more opinions on that as well.
That’s really good to know - a slight twist on it could be that I have
seen people DRY it up and include more sophistication on the find by
using a before filter for that too, then I could perhaps find only the
users things but if the user is an admin, allow the admin to find
anything (or edit or destroy anything).
Trying to make sure I don’t miss anything before implementing.
The thing is the initial check will only check that there’s a logged in
user though, not a particular user. Then the find part is important as
it would always limit the “things” that can be found to the things that
the current_user owns. These are the typical two steps? Correct?