Check out the wiki section on github - and in particular the one on
security.
It will take you through the various levels of security - and they do
actually work.
To limit a controller action just use:
#{action_name}_authorized? in you controller or helper. So far I can
only make it work with the build-in controllers - for your own
controllers I just posted to figure out how to do that.
def update_authorized?
(['admin', 'something', 'something'].include?(current_user.role))
end
the role needs to match what your authentication system gives you -
this works with restful_authentication
And if you need something more detailed here is what I use in one of
models to prevent non-admins from destroying a record:
def authorized_for_destroy?
if existing_record_check?
if current_user.role == 'admin'
return true
else
return (self.user_id == current_user.id)
end
else
return true
end
end
On Apr 10, 6:27 am, Kenny Ortmann <[email protected]> wrote:
> it might be :destroy instead of delete
>
> On Thu, Apr 9, 2009 at 3:13 PM, [email protected] <
>
> [email protected]> wrote:
>
> > I've tried this and the admin role checking works but didn't add the
> > "delete" action to the menu. I've added some debug session data to
> > verified that. Maybe something is wrong with
> > "active_scaffold_config.actions.add :delete" statement?
> > if @session['user'].admin
> > active_scaffold_config.actions.add :delete
> > �...@session['permission']="1"
> > else
>
> > I've added the filter definition in application controller and added
> > the before filter to the controller where I need to add the delete.
> > But the delete doesn't show.
>
> > On Apr 7, 11:36 am, Kenny Ortmann <[email protected]> wrote:
> > > You can't get to the session when you are declaring the config. You need
> > to
> > > do this on a before filter.
>
> > > before_filter :add_delete_if_admin
>
> > > def add_delete_if_admin
> > > if session['user'].admin
> > > active_scaffold_config.actions.add :delete
> > > else
> > > active_scaffold_config.actions.exclude :delete
> > > end
> > > end
>
> > > you should also implement this method, which will prevent the deletion
> > from
> > > happening if someone is trying to url hijack and delete things.
>
> > > def delete_authorized?
> > > session['user'].admin
> > > end
>
> > > On Mon, Apr 6, 2009 at 11:27 PM, [email protected] <
>
> > > [email protected]> wrote:
>
> > > > Does anyone know how to check the current user field (I have an admin
> > > > field to have a simple role base permission level) in the
> > > > "config.actions.add :delete" line?
>
> > > > The generated loginsystem store the session['user'], and I was able to
> > > > use that object data in the view but not the controller where I use
> > > > config.actions.add to add the delete as an option for admin only.
>
> > > > I tried it with @session['user'].admin, session['user'], and other
> > > > variations and it wasn't able to even pull that session up.
>
> > > > Can anyone please help?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"ActiveScaffold : Ruby on Rails plugin" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/activescaffold?hl=en
-~----------~----~----~----~------~----~------~--~---
