Ruby on Rails

Thanks Jordon ... I take your point ... I begin with some sites
discussing both these issues, authentication, and authorization.

fuzzy.

On Dec 3, 8:51 am, Jordon Bedwell <envyge...@gmail.com> wrote:
> On Mon, Dec 3, 2012 at 8:42 AM, fuzzy <hlog...@gmail.com> wrote:
> > If you change the url to any other page, ie, to contracts, you totally
> > circumvent the authentication and authorization.
>
> > Is there a way to use the authentication and authorization of
> > 'employee' to prevent a user from changing the url to circumvent the
> > sign-in, and also to govern the access to any other page without using
> > a gem?
>
> Store the userid in the session and then create a method on
> ApplicationController that checks the user, and run a before filter on
> all actions you need to secure, if the userid doesn't exist in the
> session then redirect them to the login page and redirect them back
> after authentication.  Normally these methods would be "user" so you
> can do "user" and get the user information automatically and
> "authenticate_user!" which would do the checking for "user" and
> redirect_to if there is a problem...  This is just a base idea you
> need to fill in the blanks on security between these actions.
>
> Authentication systems are hard, and this is no joke.  They are hard
> because it requires a lot of work to get right, and they are harder
> when you mix in ACL's and MAL's which requires a need for even more
> work, I would recommend instead of doing it from scratch at first use
> Devise or Omniauth, both proven to be secure, both able to handle
> custom auth and both will ease the pain until you understand the full
> stack of Rails.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.