REST, limit method access.

Hi,

I'm building a REST based app whereby a number of servers will submit
data to the database using activerecord and the web frontend will
merely view the data and provide reports.

What is the easiest way to restrict create, update and delete to the
remote servers using active record i.e., so that the web frontend
can't perform any changes to the database for certain controllers?

Thanks,
Toby

On edge you should just be able to raise an appropriate error.

ActionController::MethodNotAllowed
ActionController::NotImplemented
ActionController::UnknownAction

Are all actions handled by edge. If your not on edge you can handle these errors by overwriting
rescue_action_in_public(exception)

If you search this list or google there is plenty of information on that method.

HTH
Daniel

Oh ok thanks.

What does edge do when one of those errors is raised? Do I explicitly
need to rescue them or are they automatically handled?

It’s handled automatically on edge I believe. It’s a pretty new feature.

I saw a blog post on how to use it properly but I can’t seem to put my hands on it at the moment.

Ok I'll have a search. I'm using edge but only the latest stable
revision so I hope it is supported there.

How do I differentiate between a call from the web frontend and a call
from activeresource? Are there tell tale signs of an activeresource
call apart from the fact it asks for xml?

I’m guessing there’s not, but I am guessing. If you can change your data via xml, then I think you would need to allow it by xml in all cases. Just check that valid user data is supplied. If a user want’s to hack up the browser version so it submits via an xml action then they are going to. That’s if they use the browser at all if they wanted to be malicious.

Best bet is to code it such that xml is allowed and leave it at that. I wouldn’t burn up braincells trying to worry about ALL the what-ifs a user can do to be bad. Just work out what you want to allow with your authorization permission and leave it at that.

HTH
Daniel

Nope, not really. Just check request.format.xml? if you want.