On Mar 16, 4:30 pm, "\"Wolas!\"" <[email protected]> wrote: > I think you have a design problem here. Access controll should be > handled in the controller, not the model.
Thanks for replying. I don't know, I figure that the model is already deciding which users are associated with which products and expanding this to handle a special case is a logical extension that saves putting business logic in the controllers. Although I will probably have to revert to that as a fully-working solution. > besides, having > > def root? > id == 1 > end > > i believe is a very bad bad idea, maybe im wrong. any opinions anyone? > sorry, didint mention why it was a bad idea. Just in case the root > user changes id. or someone can modify the parameters and pretend to > be of id 1. and probably for som many reasons i forgot right now. Not sure if these can be justified as since by the definition above if the root user changes their ID they are no longer the root user and if somebody can pretend to be other user IDs on a system I think it has bigger problems! Please let me know if you remember the other ones as security is of course important. Thanks. Andrew --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
