Hi, I have created an application with two different types of people that may login: students and administrators. I have created a login that redirects users that have logged in depending on their role (student or administrator) to certain pages. How could I now disallow students to simply change the URL and get to the administrator pages? The only way that I could imagine now is to check in every action if session[:me].role == "Administrator" and destroy the session in the other case. Yet again I don't know that much about Ruby on Rails yet to know about a better way. Thanks for thinking about it! Christoph
on 2007-02-08 14:24
on 2007-02-08 14:29
Would this be something I can accomplish with "before_filter"? Christoph
on 2007-02-08 14:43
On 8 Feb., 14:28, "ceicke" <e...@yfu.de> wrote: > Would this be something I can accomplish with "before_filter"? > Christoph exactly. add a before_filter to all controllers/actions only admins should be able to access. class Admin < ActionController before_filter :check_authorization (... you actions and stuff) private def check_authorization reditect_to(:controller => "Errors" :action => "not_authorized") unless session[:me].role = "Administrator" end end of course you would have to create an Errors Controller and a not_authorized action with a corresponding view. but maybe you have another action to point to already, for general errors or whatever....