Hi,
We are implementing our first site using hobo and are making progress
but am looking at some security / privacy issues and if you manually
add the URL to a users info page
"http://127.0.0.1:3000/users/1-mark-jones"; then a guest is able to
view all the user's info.
We tried to get around this by adding permission to the user model:
def view_permitted?(field)
acting_user.administrator? || owner_is?(acting_user)"
end
The thinking being that only adn admin or the currently logge din user
woudl be able to view these details. This sort of worked but If we
then went to the signup page then the user fields to complete were not
shown.
The signup page is done in application.dryml
<def tag="signup-form" for="User">
<form lifecycle="signup" merge param="default">
<error-messages param/>
1. Your Details
<field-list fields="name, email_address, password,
password_confirmation" param/>
2. Your company
<field-list fields="company_name, website, address_line_1,
address_line_2, towncity, countystate, postcodezip, country" param/>
<br />
<div param="actions">
<submit label="#{ht 'users.actions.save', :default=>['Save']}"
param/><or-cancel param="cancel"/>
</div>
</form>
</def>
can anyone hep with this? I also tried creating a custom show event
and checking for admin or current user but that didn't work either..
Thanks
Mark Jones
Application Test Manager
Antix Labs Ltd
--
You received this message because you are subscribed to the Google Groups "Hobo
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/hobousers?hl=en.
