On Jun 30, 2011, at 10:10 PM, Andrew Skegg wrote:
> I may have misunderstood your question, but I don't see the need to
> access or
> change Devise's controllers directly. You have control over your
> User model
> and the Controllers which utilise it, so you should be able to
> enforce your
> business logic as described. I would not worry too much about the
> methods
> Devise injects into your models - you control access to them.
Here's the thing. I can certainly keep users from seeing links to the
routes that control invitations, but I don't have any practical way to
enforce -- at the model level or in the controller -- the user types
that are really allowed to use those. It is trivial to wrap the view
layer in can? conditionals, in other words. But nothing stops someone
who guesses the path from writing a URL and performing an operation
their user level doesn't permit.
Because Devise Invitable internals handle the resolution of
new_user_invitation_path, I can't put anything in the UsersController
to belt-and-suspenders check to see if the current user *should*
actually be there. Those requests simply side-step my controller
altogether, and point to an Invitations model that is also inside the
gem.
Walter
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No comments:
Post a Comment