restful_authentication + nested resources => failed to authenticate

rubyonrails-talk
1

To all:

hi,

i used rails 1.2.6 + restful_authentication plugin

  #base_url   base = '/v1'

  map.resources :users, :path_prefix => base

  map.resources :users do |users|     users.resources :orders, :path_prefix => '/v1/users/:id'   end

  map.resource :session

  map.signup '/signup', :controller => 'users', :action => 'new'   map.login '/login', :controller => 'session', :action => 'new'   map.logout '/logout', :controller => 'session', :action => 'destroy'

this is my routes.rb

when i first started my webrick, i tried to access localhost:3001/v1/ users/username1/orders i was prompted for my username password. so it worked.

however when i type in localhost:3001/logout

and when i try localhost:3001/v1/users/username1/orders, it failed to prompt me.

it showed

You have been logged out. Listing orders

<data here>

<New order link here>

exposing data when I have already logged out.

May I ask what is wrong here?

Thanks!

2

Forgot to mention that i also installed http_authentication plugin as well.

3

Somehow my session is not destroyed.

what have i gone wrong?

inside my application.rb

# Filters   before_filter :authenticate

  # Sets @authenticated_user if the user provides valid   # credentials. THis may be used to deny access or customise the view   def authenticate     @authenticated_user = nil     authenticate_with_http_basic do |user, password|

      @authenticated_user = User.authenticate(user, password)     end

    return true   end

  #Filter for actions that _require_ authentication. Unless client authenticated   # as some user, takes over the request and sends a response code of 401.   def must_authenticate     if @authenticated_user && (@user_is_viewing_themselves != false)       return true     else       request_http_basic_authentication       return false     end   end

  # A filter for controllers beneath /users/{login}.   # Transforms {login} into user ID. Sends a 404 response code   # if the user does not exist.   def must_specify_user     if params[:id]       @user = User.find_by_permalink(params[:id])       if_found(@user) {params[:user_id] = @user.id}       return false unless @user     end     # for limiting view to authenticated user     @user_is_viewing_themselves = (@authenticated_user == @user)     return true   end

in my orders_controller i use before_filter :must_authenticate and before_filter:must_specify_user