Stop User from Changing URL

I have an authentication and autherization system built on the same
lines outlined by Michael H., rails tutorial.

Here is the employees_controller.rb:

  class EmployeesController < ApplicationController
    before_filter :signed_in_employee, only:
    [:index, :edit, :update]
    before_filter :correct_employee,   only:
    [:edit, :update]

    etc
    etc

   private
     def signed_in_employee
       unless signed_in?
         store_location
         redirect_to signin_path, notice:
         "Please sign in to access this page."
       end
     end

    def correct_employee
      @employee = Employee.find(params[:id])
       redirect_to(root_path) unless current_employee?
       (@employee)
   end

   def admin_employee
      redirect_to(root_path) unless
      current_employee.admin?
  end

end

The pages start out at root. If you try and change the url to say
‘employees’ you will get the message
“Please sign in to access this page.”

If you change the url to any other page, ie, to contracts, you totally
circumvent the authentication and authorization.

Is there a way to use the authentication and authorization of
‘employee’ to prevent a user from changing the url to circumvent the
sign-in, and also to govern the access to any other page without using
a gem?

Thanks,

fuzzy.

On Mon, Dec 3, 2012 at 8:42 AM, fuzzy [email protected] wrote:

If you change the url to any other page, ie, to contracts, you totally
circumvent the authentication and authorization.

Is there a way to use the authentication and authorization of
‘employee’ to prevent a user from changing the url to circumvent the
sign-in, and also to govern the access to any other page without using
a gem?

Store the userid in the session and then create a method on
ApplicationController that checks the user, and run a before filter on
all actions you need to secure, if the userid doesn’t exist in the
session then redirect them to the login page and redirect them back
after authentication. Normally these methods would be “user” so you
can do “user” and get the user information automatically and
“authenticate_user!” which would do the checking for “user” and
redirect_to if there is a problem… This is just a base idea you
need to fill in the blanks on security between these actions.

Authentication systems are hard, and this is no joke. They are hard
because it requires a lot of work to get right, and they are harder
when you mix in ACL’s and MAL’s which requires a need for even more
work, I would recommend instead of doing it from scratch at first use
Devise or Omniauth, both proven to be secure, both able to handle
custom auth and both will ease the pain until you understand the full
stack of Rails.

Thanks Jordon … I take your point … I begin with some sites
discussing both these issues, authentication, and authorization.

fuzzy.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs