I have created an application with two different types of people that
may login: students and administrators. I have created a login that
redirects users that have logged in depending on their role (student
or administrator) to certain pages. How could I now disallow students
to simply change the URL and get to the administrator pages?
The only way that I could imagine now is to check in every action if
session[:me].role == “Administrator” and destroy the session in the
other case. Yet again I don’t know that much about Ruby on Rails yet
to know about a better way.
Would this be something I can accomplish with “before_filter”?
Christoph
exactly. add a before_filter to all controllers/actions only admins
should be able to access.
class Admin < ActionController
before_filter :check_authorization
(… you actions and stuff)
private
def check_authorization
reditect_to(:controller => “Errors” :action => “not_authorized”)
unless session[:me].role = “Administrator”
end
end
of course you would have to create an Errors Controller and a
not_authorized action with a corresponding view. but maybe you have
another action to point to already, for general errors or whatever…
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.