Restful_authentication + nested resources => failed to authenticate

Rails
1

To all:

hi,

i used rails 1.2.6 + restful_authentication plugin

#base_url
base = ‘/v1’

map.resources :users, :path_prefix => base

map.resources :users do |users|
users.resources :orders, :path_prefix => ‘/v1/users/:id’
end

map.resource :session

map.signup ‘/signup’, :controller => ‘users’, :action => ‘new’
map.login ‘/login’, :controller => ‘session’, :action => ‘new’
map.logout ‘/logout’, :controller => ‘session’, :action => ‘destroy’

this is my routes.rb

when i first started my webrick, i tried to access localhost:3001/v1/
users/username1/orders
i was prompted for my username password. so it worked.

however when i type in localhost:3001/logout

and when i try localhost:3001/v1/users/username1/orders, it failed to
prompt me.

it showed

You have been logged out.
Listing orders

exposing data when I have already logged out.

May I ask what is wrong here?

Thanks!

2

Forgot to mention that i also installed http_authentication plugin as
well.

3

Somehow my session is not destroyed.

what have i gone wrong?

inside my application.rb

Filters

before_filter :authenticate

Sets @authenticated_user if the user provides valid

credentials. THis may be used to deny access or customise the view

def authenticate
@authenticated_user = nil
authenticate_with_http_basic do |user, password|

  @authenticated_user = User.authenticate(user, password)
end

return true

end

#Filter for actions that require authentication. Unless client
authenticated

as some user, takes over the request and sends a response code of

def must_authenticate
if @authenticated_user && (@user_is_viewing_themselves != false)
return true
else
request_http_basic_authentication
return false
end
end

A filter for controllers beneath /users/{login}.

Transforms {login} into user ID. Sends a 404 response code

if the user does not exist.

def must_specify_user
if params[:id]
@user = User.find_by_permalink(params[:id])
if_found(@user) {params[:user_id] = @user.id}
return false unless @user
end
# for limiting view to authenticated user
@user_is_viewing_themselves = (@authenticated_user == @user)
return true
end

in my orders_controller i use before_filter :must_authenticate and
before_filter:must_specify_user