[Rails] Re: "show" action - restrict manual url change from user to view

On Jun 28, 10:36 pm, RailsFan Radha <li...@ruby-forum.com> wrote:
> This is "show" action in my "category controller".
>
>    #---- Show ---
>   def show
>     # @category=Category.find(params[:category_id])
>      @category=Category.find(params[:category_id])
>   end
>
> "show" action - restrict manual url change from user to view the
> inactive records. "
> Active/inactive are set via status column in category table.
> where status='A'
>
> since the url shows up in the url bar, the user can simply type in a
> different category_id and view the record, even if status = 'I'
> but, i don't want the user to modify the url and view the category where
> status <> 'A'
> In short, the users get to view only status='A'
>

If you're doing this a lot, you should add it as a scope to the
Category model:

class Category < ActiveRecord::Base
named_scope :active, :conditions => { :status => 'A' }
end

Then your controller action could be:

def show
@category = Category.active.find(params[:category_id])
end

which will throw a RecordNotFound if the supplied ID isn't also
active.

BTW, the use of :category_id in the above sample is odd - if you're in
CategoriesController and have the standard routing, (/categories/:id)
the parameter will be named :id. :category_id would be used if, for
instance, you had a nested route to a Post model:

/categories/:category_id/posts
/categories/:category_id/posts/new

etc.

--Matt Jones

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.