Thanks Jordon ... I take your point ... I begin with some sites discussing both these issues, authentication, and authorization.
fuzzy. On Dec 3, 8:51 am, Jordon Bedwell <[email protected]> wrote: > On Mon, Dec 3, 2012 at 8:42 AM, fuzzy <[email protected]> wrote: > > If you change the url to any other page, ie, to contracts, you totally > > circumvent the authentication and authorization. > > > Is there a way to use the authentication and authorization of > > 'employee' to prevent a user from changing the url to circumvent the > > sign-in, and also to govern the access to any other page without using > > a gem? > > Store the userid in the session and then create a method on > ApplicationController that checks the user, and run a before filter on > all actions you need to secure, if the userid doesn't exist in the > session then redirect them to the login page and redirect them back > after authentication. Normally these methods would be "user" so you > can do "user" and get the user information automatically and > "authenticate_user!" which would do the checking for "user" and > redirect_to if there is a problem... This is just a base idea you > need to fill in the blanks on security between these actions. > > Authentication systems are hard, and this is no joke. They are hard > because it requires a lot of work to get right, and they are harder > when you mix in ACL's and MAL's which requires a need for even more > work, I would recommend instead of doing it from scratch at first use > Devise or Omniauth, both proven to be secure, both able to handle > custom auth and both will ease the pain until you understand the full > stack of Rails. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
