Forum: Ruby on Rails Stop users accessing methods.

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
C728d93eb5205cf20cac0c2928b0ad62?d=identicon&s=25 Jeff Jones (rurounijones)
on 2006-03-09 15:39
Hello all.

Is there a way to stop users from being able to access a controllers
methods without affecting the ability of other controllers to use them?

i.e

FooController
  def secret
    #Stuff
  end
end

BarController

  def index
   redirect_to :controller => 'foo', action => 'secret', :id => '007'
  end
end

But directly accessing the URL server.com/foo/secret/007

would return a "Not found" error?

It seems protected and private stop other controllers from accessing
methods. I just want to stop users. (Or more specifically "Outside"
requests not from a controller).

Is this possible in RoR?

Thanks

Jeff
58c44a4a506d878f9a112f1d7b7cb87e?d=identicon&s=25 Jeremy Evans (Guest)
on 2006-03-09 19:33
(Received via mailing list)
On 3/9/06, Jeff Jones <rurounijones@hotmail.com> wrote:
> Is there a way to stop users from being able to access a controllers
> methods without affecting the ability of other controllers to use them?

You can use a before filter to control access to the controller's
action.  The way to do this securely is to authenticate the user
somehow and check the authentication in the before filter.

>
>   def index
>    redirect_to :controller => 'foo', action => 'secret', :id => '007'
>   end
> end
>
> But directly accessing the URL server.com/foo/secret/007
>
> would return a "Not found" error?

The only way to do this without authenticating users is checking the
HTTP_REFERER, but that is trivially forgible.  If security matters,
you should authenticate users and store the authentication information
in the session, and check that in the before filter.
C728d93eb5205cf20cac0c2928b0ad62?d=identicon&s=25 Jeff Jones (rurounijones)
on 2006-03-10 13:46
> The only way to do this without authenticating users is checking the
> HTTP_REFERER, but that is trivially forgible.  If security matters,
> you should authenticate users and store the authentication information
> in the session, and check that in the before filter.

Bugger, I was afraid of that. When I says "Users" in this case I just
mean people using the website. It has no actual user/security framework.

Thanks
C64e63b70be7dfed8b0742540b8b27e5?d=identicon&s=25 Mark Reginald James (Guest)
on 2006-03-10 14:51
(Received via mailing list)
Jeff Jones wrote:

>
>
> It seems protected and private stop other controllers from accessing
> methods. I just want to stop users. (Or more specifically "Outside"
> requests not from a controller).
>
> Is this possible in RoR?

What I do for this is:

BarController
   def index
     flash[:from_bar] = true
     redirect_to :controller => 'foo', action => 'secret', :id => '007'
   end
end

FooController
   def secret
     unless flash[:from_bar]
       raise ::ActionController::UnknownAction, 'no direct access
permitted'
     end
     #Stuff
   end
end

--
We develop, watch us RoR, in numbers too big to ignore.
C728d93eb5205cf20cac0c2928b0ad62?d=identicon&s=25 Jeff Jones (rurounijones)
on 2006-03-14 18:48
>
> BarController
>    def index
>      flash[:from_bar] = true
>      redirect_to :controller => 'foo', action => 'secret', :id => '007'
>    end
> end
>
> FooController
>    def secret
>      unless flash[:from_bar]
>        raise ::ActionController::UnknownAction, 'no direct access
> permitted'
>      end
>      #Stuff
>    end
> end
>
> --
> We develop, watch us RoR, in numbers too big to ignore.

Oooohhh devious. Thanks very much. This isn't really as a security
implementation. Just to stop possibly silly curious users from messing
around.

Jeff
This topic is locked and can not be replied to.