I'm working through a Rails tutorial and saw the following code:
class UsersController < ApplicationController
before_filter :authenticate, :only => [:edit, :update]
before_filter :correct_user, :only => [:edit, :update]
deny_access unless signed_in?
@user = User.find(params[:id])
redirect_to(root_path) unless current_user?(@user)
Why are authenticate and correct_user private methods? Would it be
harmful if they were made public? What would be the consequences?
Public methods in the controller are normally controller actions. Do
you have a specific reason for wanting them public?
Because external code could be written to take advantage of your authentication process and break in. In general, any method you don’t want other parts of your code to have access to and/or are only for the internal workings of the code they are in should be private.
I don't, I just wanted to understand the nuance of keeping those methods
private - thanks!
if the assignment of current user is public, a users can steal resources from another.