To all:
hi,
i used rails 1.2.6 + restful_authentication plugin
#base_url
base = ‘/v1’
map.resources :users, :path_prefix => base
map.resources :users do |users|
users.resources :orders, :path_prefix => ‘/v1/users/:id’
end
map.resource :session
map.signup ‘/signup’, :controller => ‘users’, :action => ‘new’
map.login ‘/login’, :controller => ‘session’, :action => ‘new’
map.logout ‘/logout’, :controller => ‘session’, :action => ‘destroy’
this is my routes.rb
when i first started my webrick, i tried to access localhost:3001/v1/
users/username1/orders
i was prompted for my username password. so it worked.
however when i type in localhost:3001/logout
and when i try localhost:3001/v1/users/username1/orders, it failed to
prompt me.
it showed
You have been logged out.
Listing orders
exposing data when I have already logged out.
May I ask what is wrong here?
Thanks!
Forgot to mention that i also installed http_authentication plugin as
well.
Somehow my session is not destroyed.
what have i gone wrong?
inside my application.rb
Filters
before_filter :authenticate
Sets @authenticated_user if the user provides valid
credentials. THis may be used to deny access or customise the view
def authenticate
@authenticated_user = nil
authenticate_with_http_basic do |user, password|
@authenticated_user = User.authenticate(user, password)
end
return true
end
#Filter for actions that require authentication. Unless client
authenticated
as some user, takes over the request and sends a response code of
-
def must_authenticate
if @authenticated_user && (@user_is_viewing_themselves != false)
return true
else
request_http_basic_authentication
return false
end
end
A filter for controllers beneath /users/{login}.
Transforms {login} into user ID. Sends a 404 response code
if the user does not exist.
def must_specify_user
if params[:id]
@user = User.find_by_permalink(params[:id])
if_found(@user) {params[:user_id] = @user.id}
return false unless @user
end
# for limiting view to authenticated user
@user_is_viewing_themselves = (@authenticated_user == @user)
return true
end
in my orders_controller i use before_filter :must_authenticate and
before_filter:must_specify_user