I'm building a REST based app whereby a number of servers will submit
data to the database using activerecord and the web frontend will
merely view the data and provide reports.
What is the easiest way to restrict create, update and delete to the
remote servers using active record i.e., so that the web frontend
can't perform any changes to the database for certain controllers?
Ok I'll have a search. I'm using edge but only the latest stable
revision so I hope it is supported there.
How do I differentiate between a call from the web frontend and a call
from activeresource? Are there tell tale signs of an activeresource
call apart from the fact it asks for xml?
I’m guessing there’s not, but I am guessing. If you can change your data via xml, then I think you would need to allow it by xml in all cases. Just check that valid user data is supplied. If a user want’s to hack up the browser version so it submits via an xml action then they are going to. That’s if they use the browser at all if they wanted to be malicious.
Best bet is to code it such that xml is allowed and leave it at that. I wouldn’t burn up braincells trying to worry about ALL the what-ifs a user can do to be bad. Just work out what you want to allow with your authorization permission and leave it at that.