I’m working through a Rails tutorial and saw the following code:
class UsersController < ApplicationController
before_filter :authenticate, :only => [:edit, :update]
before_filter :correct_user, :only => [:edit, :update]
.
.
.
private
def authenticate
deny_access unless signed_in?
end
def correct_user
@user = User.find(params[:id])
redirect_to(root_path) unless current_user?(@user)
end
Why are authenticate and correct_user private methods? Would it be
harmful if they were made public? What would be the consequences?
On Wed, Mar 9, 2011 at 10:11 AM, Gaba L. [email protected]
wrote:
harmful if they were made public? What would be the consequences?
Because external code could be written to take advantage of your
authentication process and break in. In general, any method you don’t
want
other parts of your code to have access to and/or are only for the
internal
workings of the code they are in should be private.
B.
On 9 March 2011 16:11, Gaba L. [email protected] wrote:
deny_access unless signed_in?
end
def correct_user
@user = User.find(params[:id])
redirect_to(root_path) unless current_user?(@user)
end
Why are authenticate and correct_user private methods? Would it be
harmful if they were made public? What would be the consequences?
Public methods in the controller are normally controller actions. Do
you have a specific reason for wanting them public?
Colin
I don’t, I just wanted to understand the nuance of keeping those methods
private - thanks!
if the assignment of current user is public, a users can steal resources
from another.