Hey, that is easier. I'll have to save this. Thanks!
On Jul 24, 2009, at 8:54 PM, James Englert wrote: > It would probably be easier to prevent users from viewing those > pages using a filter. If you are using AuthenticatedSystem, you > might be able to tap into the login_required function. An example > filter would be like > > <.. in your controller class ..> > before_filter :login_required, :except => [:show] > > Hope that helps. > > On Fri, Jul 24, 2009 at 8:41 PM, Rilindo Foster <[email protected]> > wrote: > Working through the Users and Authentication of Learning Rails book > (great book, code needs to be proof-read in a few cases, though), I > came across this: > > There's still one leftover that may be worth addressing, depending > on your security needs. The authorization? method has secured the > data, and the view no longer shows the user options they can't > really use, but if a user knows the URL for the edit form, it will > still open. It's a GET request, after all. This is a good reason to > make sure that these forms don't display any information that isn't > publicly available through other means. If this is an issue, it may > be worth the effort of adding authorization checks to every > controller method that could spring a leak. > > Any good reason why I do that instead of adding the checks to the > view pages, like? > > <% if current_user.admin? %> > <display page> > > <% else %> > <don't display page> > <% end%> > > - Rilindo > > > > > > -- > ===================== > Jim > http://www.thepeoplesfeed.com/contribute > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
