Stop users accessing methods


#1

Hello all.

Is there a way to stop users from being able to access a controllers
methods without affecting the ability of other controllers to use them?

i.e

FooController
def secret
#Stuff
end
end

BarController

def index
redirect_to :controller => ‘foo’, action => ‘secret’, :id => ‘007’
end
end

But directly accessing the URL server.com/foo/secret/007

would return a “Not found” error?

It seems protected and private stop other controllers from accessing
methods. I just want to stop users. (Or more specifically “Outside”
requests not from a controller).

Is this possible in RoR?

Thanks

Jeff


#2

On 3/9/06, Jeff J. removed_email_address@domain.invalid wrote:

Is there a way to stop users from being able to access a controllers
methods without affecting the ability of other controllers to use them?

You can use a before filter to control access to the controller’s
action. The way to do this securely is to authenticate the user
somehow and check the authentication in the before filter.

def index
redirect_to :controller => ‘foo’, action => ‘secret’, :id => ‘007’
end
end

But directly accessing the URL server.com/foo/secret/007

would return a “Not found” error?

The only way to do this without authenticating users is checking the
HTTP_REFERER, but that is trivially forgible. If security matters,
you should authenticate users and store the authentication information
in the session, and check that in the before filter.


#3

The only way to do this without authenticating users is checking the
HTTP_REFERER, but that is trivially forgible. If security matters,
you should authenticate users and store the authentication information
in the session, and check that in the before filter.

Bugger, I was afraid of that. When I says “Users” in this case I just
mean people using the website. It has no actual user/security framework.

Thanks


#4

BarController
def index
flash[:from_bar] = true
redirect_to :controller => ‘foo’, action => ‘secret’, :id => ‘007’
end
end

FooController
def secret
unless flash[:from_bar]
raise ::ActionController::UnknownAction, ‘no direct access
permitted’
end
#Stuff
end
end


We develop, watch us RoR, in numbers too big to ignore.

Oooohhh devious. Thanks very much. This isn’t really as a security
implementation. Just to stop possibly silly curious users from messing
around.

Jeff


#5

Jeff J. wrote:

It seems protected and private stop other controllers from accessing
methods. I just want to stop users. (Or more specifically “Outside”
requests not from a controller).

Is this possible in RoR?

What I do for this is:

BarController
def index
flash[:from_bar] = true
redirect_to :controller => ‘foo’, action => ‘secret’, :id => ‘007’
end
end

FooController
def secret
unless flash[:from_bar]
raise ::ActionController::UnknownAction, ‘no direct access
permitted’
end
#Stuff
end
end


We develop, watch us RoR, in numbers too big to ignore.