REST, limit method access.

Toby_Clemson · August 6, 2007, 9:47am

Hi,

I'm building a REST based app whereby a number of servers will submit data to the database using activerecord and the web frontend will merely view the data and provide reports.

What is the easiest way to restrict create, update and delete to the remote servers using active record i.e., so that the web frontend can't perform any changes to the database for certain controllers?

Thanks, Toby

Daniel_N · August 6, 2007, 10:24am

On edge you should just be able to raise an appropriate error.

ActionController::MethodNotAllowed ActionController::NotImplemented ActionController::UnknownAction

Are all actions handled by edge. If your not on edge you can handle these errors by overwriting rescue_action_in_public(exception)

If you search this list or google there is plenty of information on that method.

HTH Daniel

Toby_Clemson · August 6, 2007, 10:43am

Oh ok thanks.

What does edge do when one of those errors is raised? Do I explicitly need to rescue them or are they automatically handled?

Daniel_N · August 6, 2007, 10:47am

It’s handled automatically on edge I believe. It’s a pretty new feature.

I saw a blog post on how to use it properly but I can’t seem to put my hands on it at the moment.

Toby_Clemson · August 6, 2007, 10:56am

Ok I'll have a search. I'm using edge but only the latest stable revision so I hope it is supported there.

How do I differentiate between a call from the web frontend and a call from activeresource? Are there tell tale signs of an activeresource call apart from the fact it asks for xml?

Daniel_N · August 6, 2007, 11:02am

I’m guessing there’s not, but I am guessing. If you can change your data via xml, then I think you would need to allow it by xml in all cases. Just check that valid user data is supplied. If a user want’s to hack up the browser version so it submits via an xml action then they are going to. That’s if they use the browser at all if they wanted to be malicious.

Best bet is to code it such that xml is allowed and leave it at that. I wouldn’t burn up braincells trying to worry about ALL the what-ifs a user can do to be bad. Just work out what you want to allow with your authorization permission and leave it at that.

HTH Daniel

Rick_Olson · August 6, 2007, 1:43pm

Nope, not really. Just check request.format.xml? if you want.