Two different areas, one password


I have created an application with two different types of people that
may login: students and administrators. I have created a login that
redirects users that have logged in depending on their role (student
or administrator) to certain pages. How could I now disallow students
to simply change the URL and get to the administrator pages?
The only way that I could imagine now is to check in every action if
session[:me].role == “Administrator” and destroy the session in the
other case. Yet again I don’t know that much about Ruby on Rails yet
to know about a better way.

Thanks for thinking about it!

Would this be something I can accomplish with “before_filter”?

On 8 Feb., 14:28, “ceicke” [email protected] wrote:

Would this be something I can accomplish with “before_filter”?

exactly. add a before_filter to all controllers/actions only admins
should be able to access.

class Admin < ActionController

before_filter :check_authorization

(… you actions and stuff)

def check_authorization
reditect_to(:controller => “Errors” :action => “not_authorized”)
unless session[:me].role = “Administrator”

of course you would have to create an Errors Controller and a
not_authorized action with a corresponding view. but maybe you have
another action to point to already, for general errors or whatever…