Lets say I have a session based login system:
username = session[:username] (jochen) userid = session[:userid] (1)
Now I want to book a room:
http://127.0.0.1:3000/guests/1/bookings/new (works)
But when I type
http://127.0.0.1:3000/guests/5/bookings/new
I can book a room for a different user.
Whats the prefered way to deny success to urls including a userid so that I can only access these url which include my userid?
Thanx
I would suggest installing the restful_authentication plugin
Once done one way of doing it is in the bookings controller add the following filter
before_filter :login_required
And add a subsequent authorized? method to check if the url user_id matches the current user, The code below checks the user is logged in and is in the correct role.
def authorized?
logged_in? && (current_user.roles.in_role('company') or
current_user.roles.in_role(‘admin’))
end
Jochen Kaechelin wrote:
Unless you're nesting your routes, which in this case might make sense.
--Jeremy
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks