> You can't do the finds in a filter because what you want to do depends > on the action (find all for index but only one for edit for example).
ok, understood - and that might sound obvious but it wasn't, I had visions of doing something programtically in the before filter to check what action was being done at the time and that seemed like a very odd thing to do, I can see now that's not the way to go. ta. > I would firstly make sure that nothing can be done without logging in > by using a before filter to check that, something like > before_filter :require_user OK, great - I get this and I'm doing it already, albeit in the baby_names_controller, I'll move it to application controller and skip it for the welcome controllers index action (the homepage which is public). Makes perfect sense. I can see how this way the app should be secured at one level - you need to have an account and be logged in to do stuff. > Then provide appropriate named scopes for > BabyNames that enforce the conditions and always use those rather than > the generic find. If you are not sure what named scopes you need then > initially just put the finds in line with the conditions and when you > find yourself repeating a find then convert it to a named scope. > Remember that the code is under your control. If you have no find > operations in the code that do not specify the user conditions then > there is no way a find can be performed using your app that does not > have that condition. Do a global search in your app for 'find' and > check they all have appropriate conditions. That's fine, will do that - but the way you put it sounds like I'd have a lot of named_scopes to do this, in this case I can only think of two, the find for a specfic baby name and the one to get them all. Actually hold on *CORRECTION*, sorry I type as I think! That's right I'm doing other finds as well, e.g. finding a users boy baby names and girl baby names - I guess I should secure those also on the basis of the current_user's boy baby names. Basically are you saying move all find to the model and make sure they're secured there? Hmm what if I want some or other baby_name on my home page, no model for that -> guess I can do a find for that in the welcome controller, that's ok. Is the idea to get all the finds into the model so I can be certain the user authorisation is in place any time someone tries to find a record / records? > Don't forget in your automated tests to make sure nothing can be done > without logging in and that if an attempt is made to get a name that > should not be accessible then it fails. V good idea. Will put this in place in line with the new find code will check it fails without the current_user. bb -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
