Thursday, December 31, 2009

[Rails] Re: Instantiating controllers?

Student Jr wrote:
> Telling people about links that they aren't supposed to be able to
> access sounds like a security issue to me.

Of course it is. That's not what I said.

And please don't top-post.

>
> More centrally, however, is that the links may be more complicated
> than just http://site/controller/action. There can be any of a number
> of things in the params, including an id field, and the interpretation
> of these params can affect the results.

Then send the whole url_for params hash to authorize?. Easy.

> But it is the target
> controller which must interpret these params. For instance, the
> target controller know which class is the class to use to interpret
> the id field.

Why does the id field need to get interpreted at this stage? Surely
you're not going to take each nav link and do a database query on the
record it talks about at the time the navbar is created -- that would be
horribly inefficient! Just reject the user when he loads the controller
tries to perform the action.

Also take a look at rails_authorization_plugin.

>
> (Yes, I'm considering using this methodology more generally than just
> a sidebar.)

Design for what you actually have now, not uncertain future
requirements. You can always refactor later. YAGNI.

>
> On Dec 31, 3:42�am, Marnen Laibow-Koser <li...@ruby-forum.com> wrote:
>> > method, and a before filter to redirect users if it fails. �For each
>>
>> > controller. �I really, REALLY don't see how to do this in a rack
>> > Groups "Ruby on Rails: Talk" group.
>> --
>> Posted viahttp://www.ruby-forum.com/.
>
> --
>
> You received this message because you are subscribed to the Google
> Groups "Ruby on Rails: Talk" group.
> To post to this group, send email to rubyonrails-talk@googlegroups.com.
> To unsubscribe from this group, send email to
> rubyonrails-talk+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.

--
Posted via http://www.ruby-forum.com/.

--

You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

posted by twitter @ 9:50 AM   0 Comments

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home


Real Estate