Two different areas, one password


I have created an application with two different types of people that
may login: students and administrators. I have created a login that
redirects users that have logged in depending on their role (student
or administrator) to certain pages. How could I now disallow students
to simply change the URL and get to the administrator pages?
The only way that I could imagine now is to check in every action if
session[:me].role == “Administrator” and destroy the session in the
other case. Yet again I don’t know that much about Ruby on Rails yet
to know about a better way.

Thanks for thinking about it!

Would this be something I can accomplish with “before_filter”?

On 8 Feb., 14:28, “ceicke” [email protected] wrote:

Would this be something I can accomplish with “before_filter”?

exactly. add a before_filter to all controllers/actions only admins
should be able to access.

class Admin < ActionController

before_filter :check_authorization

(… you actions and stuff)

def check_authorization
reditect_to(:controller => “Errors” :action => “not_authorized”)
unless session[:me].role = “Administrator”

of course you would have to create an Errors Controller and a
not_authorized action with a corresponding view. but maybe you have
another action to point to already, for general errors or whatever…

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs