Working through the Users and Authentication of Learning Rails book (great book, code needs to be proof-read in a few cases, though), I came across this:
There's still one leftover that may be worth addressing, depending on your security needs. The authorization? method has secured the data, and the view no longer shows the user options they can't really use, but if a user knows the URL for the edit form, it will still open. It's a GET request, after all. This is a good reason to make sure that these forms don't display any information that isn't publicly available through other means. If this is an issue, it may be worth the effort of adding authorization checks to every controller method that could spring a leak. Any good reason why I do that instead of adding the checks to the view pages, like? <% if current_user.admin? %> <display page> <% else %> <don't display page> <% end%> - Rilindo --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
