Steve Koppelman <[EMAIL PROTECTED]> writes: > Then I tried logging out to test one of my privileged non-admin users on > a site maintenance page. I accessed /user/logout and the app told me I'm > logged out. But when I then went to a protected URI, instead of being > redirected to /user/login as I am on my development box (which works > absolutely as it should no matter what I throw at it), I am allowed > access. Which either means permissions aren't working in a dangerous way > (if the code is broken, failure should result in denial, not access), or > I'm not really being logged out despit being presented with HTML that > says I have been.
Check the session variable, it should be set to nil, if you log out. If you are using database to store session then check that, the corresponding session entry is removed. Check the permissions_roles table, and verify that the permissions are correctly set, or not present for the guest user. See if you have before_filter: authorize_action enabled, and that it is indeed being called. Also, set up tests which will automatically check whether entry is enabled or disabled for different users. As a developer don't just go by HTML because it might be rendered by some other bug, and may be misleading. Hope this helps. -- Surendra Singhi http://ssinghi.kreeti.com, http://www.kreeti.com Read my blog at: http://cuttingtheredtape.blogspot.com/ ,---- | Great wits are sure to madness near allied, | And thin partitions do their bounds divide. | | (John Dryden, Absalom and Achitophel, 1681) `---- _______________________________________________ engine-users mailing list [email protected] http://lists.rails-engines.org/listinfo.cgi/engine-users-rails-engines.org
