newbie redirect_to :back related question

Hi,

In the course of integrating an authentication module (Authlogic) into my Rails app, I've developed the following priority:

'If the current user makes a url request for which they are ineligible, return the user to the page from which they made their invalid request.'

One way to get at this is with the following two methods in the application_controller:

   def store_location      session[:return_to] = request.request_uri    end

   def redirect_back_or_default(default)      redirect_to(session[:return_to] || default)      session[:return_to] = nil    end

But if I wanted to guarantee that the user was redirected back to any action from which they made an ineligible request, I would need to call store_location for every such controller action, which is crazy.

Is there no inexpensive way that Rails will remember every last request (without resort to session)?

My hope would be for something like:

redirect_to :back

But this is a no-go...

Lille

Lille wrote:

Hi,

In the course of integrating an authentication module (Authlogic) into my Rails app, I've developed the following priority:

'If the current user makes a url request for which they are ineligible, return the user to the page from which they made their invalid request.'

One way to get at this is with the following two methods in the application_controller:

   def store_location      session[:return_to] = request.request_uri    end

   def redirect_back_or_default(default)      redirect_to(session[:return_to] || default)      session[:return_to] = nil    end

But if I wanted to guarantee that the user was redirected back to any action from which they made an ineligible request, I would need to call store_location for every such controller action, which is crazy.

Not crazy at all. Just put it in a before_filter.

Is there no inexpensive way that Rails will remember every last request (without resort to session)?

Putting it in the session is pretty inexpensive, and probably the right thing to do.

My hope would be for something like:

redirect_to :back

But this is a no-go...

Why?

Well, for one thing, you don't always have an HTTP_REFERER (if the user types a URL into the browser for example).

You get this nearly for free with Authlogic anyway. Just modify the example require_user and associated code to fit your needs.

-Rob

Rob Biedenharn Rob@AgileConsultingLLC.com http://AgileConsultingLLC.com/ rab@GaslightSoftware.com http://GaslightSoftware.com/

@Rob - Yes, I see what you're referring to in the Authlogic example code. I guess I can feel comforted by that...

@Marnen, @Rob - ...but isn't reliance on session expensive, e.g., if I've chosen server-side ActiveRecordStore session storage?

@Rob - Yes, I see what you're referring to in the Authlogic example code. I guess I can feel comforted by that...

@Marnen, @Rob - ...but isn't reliance on session expensive, e.g., if I've chosen server-side ActiveRecordStore session storage?

Um, compared to what? If the work to instantiate the session from the database, alter a value, and write it base is your bottleneck, I'd say you have one blazingly fast application :wink:

I wouldn't worry about that (at least no yet). You have to load the user info (session + User model) to check the permission anyway so you have to hit the database.

-Rob

My hope would be for something like:

redirect_to :back

But this is a no-go...

Why?

Well, for one thing, you don't always have an HTTP_REFERER (if the user types a URL into the browser for example).

You get this nearly for free with Authlogic anyway. Just modify the example require_user and associated code to fit your needs.

-Rob

Rob Biedenharn R...@AgileConsultingLLC.com http://AgileConsultingLLC.com/ r...@GaslightSoftware.com http://GaslightSoftware.com/

-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Rob Biedenharn Rob@AgileConsultingLLC.com http://AgileConsultingLLC.com/ rab@GaslightSoftware.com http://GaslightSoftware.com/

Rob,

I see what you're saying, esp., given your comment:

"you have to load the user info (session + User model) to check the permission anyway so you have to hit the database"

Unlike what I sense is anticipated by the Authlogic example code, I take the following approach in my app:

unauthenticated users can use all app functionality up to a certain point, when they have to register (a try-before-you-buy approach.)

So, under this approach I have to apply the require_user approach in a before_filter for every action, not just those associated with a few protected pages. This just seems like a lot of work. It's like adding a layer of authentication goo all over my app and unlike, preferably, enabling authentication as a 'switch' to my app.

Lille

Rob,

I see what you're saying, esp., given your comment:

"you have to load the user info (session + User model) to check the permission anyway so you have to hit the database"

Unlike what I sense is anticipated by the Authlogic example code, I take the following approach in my app:

unauthenticated users can use all app functionality up to a certain point, when they have to register (a try-before-you-buy approach.)

So, under this approach I have to apply the require_user approach in a before_filter for every action, not just those associated with a few protected pages. This just seems like a lot of work. It's like adding a layer of authentication goo all over my app and unlike, preferably, enabling authentication as a 'switch' to my app.

Lille

If you only put the before_filter :require_user on those controllers (or scoped to :only => [:some, :actions]), then you only have the overhead for the actions that really need a user. You can also use (I think) skip_session to avoid all the session overhead when you have absolutely no need for it.

-Rob

@Rob - Yes, I see what you're referring to in the Authlogic example code. I guess I can feel comforted by that...

@Marnen, @Rob - ...but isn't reliance on session expensive, e.g., if I've chosen server-side ActiveRecordStore session storage?

Um, compared to what? If the work to instantiate the session from the database, alter a value, and write it base is your bottleneck, I'd say you have one blazingly fast application :wink:

I wouldn't worry about that (at least no yet). You have to load the user info (session + User model) to check the permission anyway so you have to hit the database.

-Rob

My hope would be for something like:

redirect_to :back

But this is a no-go...

Why?

Well, for one thing, you don't always have an HTTP_REFERER (if the user types a URL into the browser for example).

You get this nearly for free with Authlogic anyway. Just modify the example require_user and associated code to fit your needs.

-Rob

Rob Biedenharn R...@AgileConsultingLLC.com http://AgileConsultingLLC.com/ r...@GaslightSoftware.com http://GaslightSoftware.com/

-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails- talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com . For more options, visit this group athttp://groups.google.com/group/rubyonrails-talk?hl=en .

Rob Biedenharn R...@AgileConsultingLLC.com http://AgileConsultingLLC.com/ r...@GaslightSoftware.com http://GaslightSoftware.com/

-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Rob Biedenharn http://agileconsultingllc.com Rob@AgileConsultingLLC.com +1 513-295-4739 Skype: rob.biedenharn