They can still POST to it so it’s not safe.
The answer is to move the code to a helper which can be used from both a controller and a view.
hide_action [ :whatever, ... ]
Hey,
I've always used 'protected' for this:
class FooController < ApplicationController
def url_accessible_method end
protected
def non_url_accessible_method end
def another_non_url_accessible_method end
# make certain protected controller methods available to views
helper_method :
non_url_accessible_method, :another_non_url_accessible_method
end
However, note that doing:
class FooController # stuff protected include HelperModule end
will not mark the methods in HelperModule as protected. You either
have to do this:
module HelperModule protected # your helper methods here end
or you have to do this:
class FooController include HelperModule protected :each, :method, :name, :in, :helper_module end
HTH, Trevor
Trevor
The easiest way is to use a helper. Protected and private methods are also a good idea, but if you really want to make your code clean, use helpers.
the hide_action works, but again, it’s not very clean.
Methods defined in a helper and included in the controller ARE accessible publicly. The way to do it is:
/app/helpers/global_helper.rb module GlobalHelper
protected
def do_something “Hello world”
end
end
/app/controllers/global_controller.rb
class GlobalController < ApplicationController
include GlobalHelper
def index render :text=> do_something end
end
Keeps everything nice and clean.
