It seems protected and private stop other controllers from accessing
methods. I just want to stop users. (Or more specifically “Outside”
requests not from a controller).
Is there a way to stop users from being able to access a controllers
methods without affecting the ability of other controllers to use them?
You can use a before filter to control access to the controller’s
action. The way to do this securely is to authenticate the user
somehow and check the authentication in the before filter.
def index
redirect_to :controller => ‘foo’, action => ‘secret’, :id => ‘007’
end
end
The only way to do this without authenticating users is checking the
HTTP_REFERER, but that is trivially forgible. If security matters,
you should authenticate users and store the authentication information
in the session, and check that in the before filter.
The only way to do this without authenticating users is checking the
HTTP_REFERER, but that is trivially forgible. If security matters,
you should authenticate users and store the authentication information
in the session, and check that in the before filter.
Bugger, I was afraid of that. When I says “Users” in this case I just
mean people using the website. It has no actual user/security framework.
It seems protected and private stop other controllers from accessing
methods. I just want to stop users. (Or more specifically “Outside”
requests not from a controller).
Is this possible in RoR?
What I do for this is:
BarController
def index
flash[:from_bar] = true
redirect_to :controller => ‘foo’, action => ‘secret’, :id => ‘007’
end
end
FooController
def secret
unless flash[:from_bar]
raise ::ActionController::UnknownAction, ‘no direct access
permitted’
end #Stuff
end
end
–
We develop, watch us RoR, in numbers too big to ignore.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.