Hi folks, another beginner's question.... In a standard Hobo app (standard user model), there is a show action and users can see each other (by url hacking).
def view_permitted?(field) > true > end If I want to prevent that, I have to take care, that resetting a user's own password is still possible. So I came up with a check for the existence of the provided key (in a model I don't have access to fancy request methods). That way I now, I am in a lifecycle. Security aka correctness of the key is already taken care of by the lifecycle and my password check goes through. def view_permitted?(field) > acting_user.administrator? || self == acting_user || > lifecycle.provided_key > end Is this a valid approach? (It works, but is this the way to go?) Cheers, Stefan -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/hobousers. For more options, visit https://groups.google.com/groups/opt_out.
