I have created an application with two different types of people that
may login: students and administrators. I have created a login that
redirects users that have logged in depending on their role (student
or administrator) to certain pages. How could I now disallow students
to simply change the URL and get to the administrator pages?
The only way that I could imagine now is to check in every action if
session[:me].role == "Administrator" and destroy the session in the
other case. Yet again I don't know that much about Ruby on Rails yet
to know about a better way.
exactly. add a before_filter to all controllers/actions only admins
should be able to access.
class Admin < ActionController
before_filter :check_authorization
(... you actions and stuff)
private
def check_authorization
reditect_to(:controller => "Errors" :action => "not_authorized")
unless session[:me].role = "Administrator"
end
end
of course you would have to create an Errors Controller and a
not_authorized action with a corresponding view. but maybe you have
another action to point to already, for general errors or whatever....