I have an authentication and autherization system built on the same
lines outlined by Michael Hartl, rails tutorial.
Here is the employees_controller.rb:
class EmployeesController < ApplicationController
before_filter :signed_in_employee, only:
[:index, :edit, :update]
before_filter :correct_employee, only:
[:edit, :update]
etc
etc
private
def signed_in_employee
unless signed_in?
store_location
redirect_to signin_path, notice:
"Please sign in to access this page."
end
end
def correct_employee
@employee = Employee.find(params[:id])
redirect_to(root_path) unless current_employee?
(@employee)
end
def admin_employee
redirect_to(root_path) unless
current_employee.admin?
end
end
The pages start out at root. If you try and change the url to say
'employees' you will get the message
"Please sign in to access this page."
If you change the url to any other page, ie, to contracts, you totally
circumvent the authentication and authorization.
Is there a way to use the authentication and authorization of
'employee' to prevent a user from changing the url to circumvent the
sign-in, and also to govern the access to any other page without using
a gem?
Thanks,
fuzzy.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment