You can't do the finds in a filter because what you want to do depends
on the action (find all for index but only one for edit for example).
ok, understood - and that might sound obvious but it wasn't, I had
visions of doing something programtically in the before filter to check
what action was being done at the time and that seemed like a very odd
thing to do, I can see now that's not the way to go. ta.
I would firstly make sure that nothing can be done without logging in
by using a before filter to check that, something like
OK, great - I get this and I'm doing it already, albeit in the
baby_names_controller, I'll move it to application controller and skip
it for the welcome controllers index action (the homepage which is
public). Makes perfect sense. I can see how this way the app should be
secured at one level - you need to have an account and be logged in to
Then provide appropriate named scopes for
BabyNames that enforce the conditions and always use those rather than
the generic find. If you are not sure what named scopes you need then
initially just put the finds in line with the conditions and when you
find yourself repeating a find then convert it to a named scope.
Remember that the code is under your control. If you have no find
operations in the code that do not specify the user conditions then
there is no way a find can be performed using your app that does not
have that condition. Do a global search in your app for 'find' and
check they all have appropriate conditions.
That's fine, will do that - but the way you put it sounds like I'd have
a lot of named_scopes to do this, in this case I can only think of two,
the find for a specfic baby name and the one to get them all. Actually
hold on *CORRECTION*, sorry I type as I think! That's right I'm doing
other finds as well, e.g. finding a users boy baby names and girl baby
names - I guess I should secure those also on the basis of the
current_user's boy baby names. Basically are you saying move all find to
the model and make sure they're secured there? Hmm what if I want some
or other baby_name on my home page, no model for that -> guess I can do
a find for that in the welcome controller, that's ok. Is the idea to get
all the finds into the model so I can be certain the user authorisation
is in place any time someone tries to find a record / records?
Don't forget in your automated tests to make sure nothing can be done
without logging in and that if an attempt is made to get a name that
should not be accessible then it fails.
V good idea. Will put this in place in line with the new find code will
check it fails without the current_user.