On Nov 24, 2009, at 2:16 PM, Mark Jones wrote: > Hi, > > We are implementing our first site using hobo and are making progress > but am looking at some security / privacy issues and if you manually > add the URL to a users info page > "http://127.0.0.1:3000/users/1-mark-jones"; then a guest is able to > view all the user's info. > > We tried to get around this by adding permission to the user model: > > def view_permitted?(field) > acting_user.administrator? || owner_is?(acting_user)" > end >
Try adding "|| new_record?" to the end of that sequence of conditionals - there are still some edge cases where user_view gets called on a new (empty) user record in the new/create actions. --Matt Jones -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/hobousers?hl=en.
