On 6 August 2010 12:48, bingo bob <[email protected]> wrote: >> I was thinking more along the lines of >> @baby_names = BabyName.find( :all, :conditions => { user_id => >> current_user.id } ) >> to get all of them, or >> >> @baby_name = BabyName.find(params[:id], :conditions => { user_id => >> current_user.id }) if params[:id] >> if you want to get just one. > > That's helpful thanks - I get that; the thing is though I'm trying to > understand *where* to do these finds and how to make them so they don't > error if no params are supplied or the wrong params are supplied. In > plain terms, with this app, at least initially, I'd like to secure the > thing so only users have access to *their own* baby_names both > individually and as a list. I see how you're code does that. > > Would I be best doing this/these finds in a before_filter that calls a > method say find_baby_names where in that method I check for supplied > params then find, or perhaps in two seperate before_filters, one for the > index action that gets all the @baby_names and one for the times when > there's only one name (e.g. an edit). Or maybe I've got the wrong end of > the stick and I should do these finds in the different controller > actions, e.g in index do the @baby_names = BabyName.find( :all, > :conditions => { user_id => current_user.id } ). > > I'm guessing that a single before_filter is the DRY way to do it and > inherently more secure as I'll have all the logic in one place and it'll > get called every time for every action.
You can't do the finds in a filter because what you want to do depends on the action (find all for index but only one for edit for example). I would firstly make sure that nothing can be done without logging in by using a before filter to check that, something like before_filter :require_user in application_controller. Then provide appropriate named scopes for BabyNames that enforce the conditions and always use those rather than the generic find. If you are not sure what named scopes you need then initially just put the finds in line with the conditions and when you find yourself repeating a find then convert it to a named scope. Remember that the code is under your control. If you have no find operations in the code that do not specify the user conditions then there is no way a find can be performed using your app that does not have that condition. Do a global search in your app for 'find' and check they all have appropriate conditions. Don't forget in your automated tests to make sure nothing can be done without logging in and that if an attempt is made to get a name that should not be accessible then it fails. Colin > > The other questions I have, how to deal with the sort actions and if I > need the protected and private keywords at all. > > Very grateful for any insight. > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
