Currently I have an admin page that I configured that is only accessible
via the following:
On each controller that I do not want people to access, I place..
before_filter :login_required, :authorize
.. which will force them to login and then it will call an authorize
function to check if they are an admin role..
private
def authorize
unless logged_in? && User.find(current_user).admin?
redirect_to root_url
end
end
=======================
This works great for protecting my pages and allowing me to perform many
administrative functions live on the site. However, one potential issue
that I see is as far as user administration.
I've made it so that I can edit/update users through my administrative
pages and protected those pages so only admins can access them.
However, in order to set whether or not a user is an admin and be able
to update that user, I need to have:
attr_accessible :admin
If I set this to attr_protected :admin
.. I'm unable to access that attribute and won't be able to update my
admins..
So, I'm looking for ways to call an exception but still enforce a
protected status when users go to register and when they edit their
profile. Obviously I don't want them hacking into their profiles and
giving themselves admin status. But, at the same time, I want to be
able to manage users through my admin pages..
Any advice, suggestions would be appreciated.
Thanks.
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
