Hi All,
I manged to achieve what I wanted to. The way I did it was a mixture of
Rails and Hobo. First up I got hid the nav item from unprivileged users
using the Rapid *"if"* tag like so:
1. Redefined the main-nav tag in application.dryml:
<def tag="main-nav">
<navigation class="main-nav" merge-attrs param="default">
<nav-item href="#{base_url}/">Home</nav-item>
<if test="¤t_user.administrator?" >
<nav-item with="&IpAddress">IP Addresses</nav-item>
</if>
<nav-item with="&Machine">Machines</nav-item>
</navigation>
</def>
This line will ensure only admin users can see the tab:
<if test="¤t_user.administrator?" >
That's all well and good but if someone knows or guesses the URL then they
can still gain read access to the data which isn't very secure. For
example: http://127.0.0.1:3000/ip_addresses would still show all of the IP
Addresses.
In order to get around that I created a before filter which I placed at the
head of the IP Address controller. This code checks the user level and
redirects if someone is trying to be somewhere they shouldn't be.
2. The code for the IP Address controller:
class IpAddressesController < ApplicationController
* **before_filter** **:check_user_level*
*
*
* **def check_user_level*
* **puts "\n\n\n!!!AUTHORIZING!!!\n\n\n"*
* **puts "Is admin user?: #{current_user.administrator?}\n\n\n"*
* *
* # If the user doesn't have the required access send them on
their way.*
* **if !current_user.administrator?*
* **flash[:notice] = "You don't have the required access to be here. I cast
thee out!"*
* **redirect_to "/"** *
* **end*
* **end*
hobo_model_controller
auto_actions :all
end
This approach works a treat to solve the problem I described earlier in this
thread. I hope that this helps someone out in solving a similar problem.
The downside of this is that it doesn't user the Hobo permissions system at
all. I would really like to know the Hobo way to solve this problem and
welcome any comments or suggestions.
Cheers,
Patrick
On Fri, Nov 20, 2009 at 11:35 AM, Patrick Fitzgerald
<[email protected]>wrote:
> Hi Adam/All,
> I'll try to give as much information as possible. I am looking for the
> Hobo way to fix this problem. I have attached an image which shows what I
> am trying to do. Basically I have an ip address model which I only want the
> admin to have access to. That includes viewing. I don't want any other
> user to be even aware of the ip address model! :)
>
> Here's the relevant code:
>
> 1. New index page defined in application.dryml
>
> <def tag="index-page" for="IpAddress">
> <page merge title="Ip Addresses">
> <body: class="index-page ip-address" param/>
>
> <content: param>
> <header param="content-header">
> <h2 param="heading">Ip Addresses</h2>
>
> <p param="count" if>There <count prefix="are"/></p>
> </header>
>
> <section param="content-body">
>
> <a action="new" to="&model" param="new-link"/>
>
> <page-nav param="top-page-nav"/>
>
> <table-plus fields="this" >
> <% puts "What is this: #[email protected]}" %>
> </table-plus>
>
> <collection param />
> <page-nav param="bottom-page-nav"/>
>
>
> </section>
> </content:>
> </page>
> </def>
>
> 2. IP Address model:
>
> class IpAddress < ActiveRecord::Base
>
> hobo_model # Don't put anything above this
>
> fields do
> ip_address :string, :name => true
> timestamps
> end
>
> belongs_to :machine
>
> # --- Permissions --- #
>
> def create_permitted?
> acting_user.administrator?
> end
>
> def update_permitted?
> acting_user.administrator?
> end
>
> def destroy_permitted?
> acting_user.administrator?
> end
>
> def view_permitted?(field)
> acting_user.administrator?
> #true
> end
>
> end
>
> Everything else is stock Hobo stuff. If you need anything else form me let
> me know.
>
> Thanks,
> Patrick
>
>
>
> On Thu, Nov 19, 2009 at 11:56 PM, Adam Grant <[email protected]>wrote:
>
>> What does your controller/view code look like? Are you using the hobo
>> methods in your controller/view? Some code pasting would be great!
>>
>> --
>> Adam Grant
>> Lead Web Engineer
>> Telaeris, Inc.
>> [email protected]
>> (858) 627-9710
>>
>>
>> On Thu, Nov 19, 2009 at 3:43 PM, Patrick Fitzgerald <
>> [email protected]> wrote:
>>
>>> Hi all,
>>> This is probably really simple but...
>>>
>>> I want to prevent a user from accessing a tab and anything at all to do
>>> with a model. I have tried changing the code to:
>>>
>>> def view_permitted?(field)
>>> acting_user.administrator?
>>> end
>>>
>>> which didn't affect a normal user's ability to view the page. I've also
>>> tried to force it using:
>>>
>>> def view_permitted?(field)
>>> false
>>> end
>>>
>>> Am I missing something obvious?!
>>>
>>> Thanks for all help!
>>>
>>> Patrick
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Hobo Users" group.
>>> To post to this group, send email to [email protected].
>>> To unsubscribe from this group, send email to
>>> [email protected]<hobousers%[email protected]>
>>> .
>>> For more options, visit this group at
>>> http://groups.google.com/group/hobousers?hl=.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Hobo Users" group.
>> To post to this group, send email to [email protected].
>> To unsubscribe from this group, send email to
>> [email protected]<hobousers%[email protected]>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/hobousers?hl=.
>>
>
>
--
You received this message because you are subscribed to the Google Groups "Hobo
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/hobousers?hl=.
