On Feb 12, 10:11 am, Colin Law <[email protected]> wrote:
> On 12 February 2011 10:00, msaspence <[email protected]> wrote:
>
>
>
>
>
>
>
>
>
> > On Feb 12, 9:53 am, Colin Law <[email protected]> wrote:
> >> On 11 February 2011 22:40, msaspence <[email protected]> wrote:
>
> >> > I'm want to restrict access to an object show action to the owner
>
> >> > in my action I have this
>
> >> > def show
> >> > @thing = Thing.find(params[:id])
> >> > if current_user && @thing.owner == current_user
>
> >> Not related to your problem, but just pointing out that you might be
> >> better to use a :conditions option in the find so that it only finds
> >> the current users things in the first place. Then put this in a named
> >> scope in the Thing model and the above reduces to something like
> >> @thing = Thing.current_users_things.find(params[:id])
>
> >> Colin
>
> > But if it doesnt find anything i wont know weither to return a 404 or
> > a 403
>
> Your current code does not allow that distinction either.
>
> Since I see you are using authlogic do you not have a before filter
> require_user or similar so that you can trap no user condition before
> it even gets to the show action?
>
> Colin
not yet but i can add it in easy enough (psudo code)
def show
@thing = Thing.find(params[:id])
if thing not found
throw 404
if current_user && @thing.owner == current_user
respond_to do |format|
format.json { render :json => @thing }
end
else
render :status => :forbidden, :text => "API requires
authentication for the minute."
end
end
require user does sound like a more elegant way to do if current_user
but still doesnt solve current_user == @thing.owner
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
