I have an authentication and autherization system built on the same
lines outlined by Michael H., rails tutorial.
Here is the employees_controller.rb:
class EmployeesController < ApplicationController before_filter :signed_in_employee, only: [:index, :edit, :update] before_filter :correct_employee, only: [:edit, :update] etc etc private def signed_in_employee unless signed_in? store_location redirect_to signin_path, notice: "Please sign in to access this page." end end def correct_employee @employee = Employee.find(params[:id]) redirect_to(root_path) unless current_employee? (@employee) end def admin_employee redirect_to(root_path) unless current_employee.admin? end
The pages start out at root. If you try and change the url to say
‘employees’ you will get the message
“Please sign in to access this page.”
If you change the url to any other page, ie, to contracts, you totally
circumvent the authentication and authorization.
Is there a way to use the authentication and authorization of
‘employee’ to prevent a user from changing the url to circumvent the
sign-in, and also to govern the access to any other page without using