Hi Mark,
I had a similar problem to this before, I managed to get solve by using
a before_filter in the controller, maybe a similar approach would help you.
I have pasted the mail below with the details. I hope it helps
Cheers,
Patrick
Mail I sent previously:
Hi All,
I manged to achieve what I wanted to. The way I did it was a mixture of
Rails and Hobo. First up I got hid the nav item from unprivileged users using
the Rapid *"if"* tag like so:
1. Redefined the main-nav tag in application.dryml:
<def tag="main-nav">
<navigation class="main-nav" merge-attrs param="default">
<nav-item href="#{base_url}/">Home</nav-item>
<if test="¤t_user.administrator?" >
<nav-item with="&IpAddress">IP Addresses</nav-item>
</if>
<nav-item with="&Machine">Machines</nav-item>
</navigation>
</def>
This line will ensure only admin users can see the tab:
<if test="¤t_user.administrator?" >
That's all well and good but if someone knows or guesses the URL then they
can still gain read access to the data which isn't very secure. For
example: http://127.0.0.1:3000/ip_addresseswould still show all of the IP
Addresses.
In order to get around that I created a before filter which I placed at the
head of the IP Address controller. This code checks the user level and
redirects if someone is trying to be somewhere they shouldn't be.
2. The code for the IP Address controller:
class IpAddressesController < ApplicationController
* **before_filter** **:check_user_level*
*
*
* **def check_user_level*
* **puts "\n\n\n!!!AUTHORIZING!!!\n\n\n"*
* **puts "Is admin user?: #{current_user.administrator?}\n\n\n"*
* *
* # If the user doesn't have the required access send them on
their way.*
* **if !current_user.administrator?*
* **flash[:notice] = "You don't have the required access to be here. I cast
thee out!"*
* **redirect_to "/"** *
* **end*
* **end*
hobo_model_controller
auto_actions :all
end
This approach works a treat to solve the problem I described earlier in this
thread. I hope that this helps someone out in solving a similar problem.
The downside of this is that it doesn't user the Hobo permissions system at
all. I would really like to know the Hobo way to solve this problem and
welcome any comments or suggestions.
Cheers,
Patrick
On Tue, Nov 24, 2009 at 8:37 PM, Bryan Larsen <[email protected]>wrote:
> Matt Jones wrote:
> > On Nov 24, 2009, at 2:16 PM, Mark Jones wrote:
> >> def view_permitted?(field)
> >> acting_user.administrator? || owner_is?(acting_user)"
> >> end
> >>
> >
> > Try adding "|| new_record?" to the end of that sequence of
> > conditionals - there are still some edge cases where user_view gets
> > called on a new (empty) user record in the new/create actions.
> >
>
> Coincidentally, I pushed a fix for that yesterday. So if you use the
> hobo from git://github.com/tablatom/hobo.git, Matt's workaround
> shouldn't be necessary.
>
> If not, please let me know!
>
> thanks,
> Bryan
>
> --
>
> You received this message because you are subscribed to the Google Groups
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<hobousers%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/hobousers?hl=en.
>
>
>
--
You received this message because you are subscribed to the Google Groups "Hobo
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/hobousers?hl=en.
