might also add in a record_new? check on that to avoid glitches during signup.
On Monday, January 13, 2014 10:36:38 AM UTC-7, Stefan Haslinger wrote: > > Hi folks, > > another beginner's question.... > In a standard Hobo app (standard user model), there is a show action and > users can see each other (by url hacking). > > def view_permitted?(field) >> true >> end > > > If I want to prevent that, I have to take care, that resetting a user's > own password is still possible. > So I came up with a check for the existence of the provided key (in a > model I don't have access to fancy request methods). > That way I now, I am in a lifecycle. Security aka correctness of the key > is already taken care of by the lifecycle and my password check goes > through. > > def view_permitted?(field) >> acting_user.administrator? || self == acting_user || >> lifecycle.provided_key >> end > > > Is this a valid approach? (It works, but is this the way to go?) > > Cheers, > Stefan > -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/hobousers. For more options, visit https://groups.google.com/groups/opt_out.
