A browser sends a request (/main/index) so ROR creates an instance of
main_controller and invokes the index action on it. main_controller has
registered ``audit" as a before_filter. ``audit" is called first before
``index". so far so good.
def audit() does this:
// the login_controller handles the login page and
// knows whether or not there's a valid login by
// inspecting the session param in a certain way
// which it encapsulates.
// remember: audit is a method inside main_controller
c = AuthenticationController.new
if c.valid_user == true // if there's a valid login
. . .
The problem: when c.valid_user (that is LoginController.valid_user via
the `c' object) attempts to read from it's @session param it is nil.
Conclusion: AuthenticationController.new creates a new controller but
its @session param is nil.
Implication: During the normal course of routing action calls, the ROR
framework creates your controller on your behalf via its class method
.new and, at a later time, also sets the session variable for your.
The design goal here is simple: delegation: I can have exactly one
class encapsulate all the authentication stuff. However my design is
broken because of the unexpected problem of not accessing the @session