authlogic and ajax in place editing with rails, also routing issues

Question

I'm trying to use Authlogic to protect some in place editor fields I have on a page. I've protected all the methods in my controller, but it looks like in_place_editor is calling some weird generated stuff that doesn't even show up in my routes, like "/quotes/set_quote_text/1". Number one is there a site that tells more about these "secret" routes? Or is this something that in place edit added that I don't know about? It's just kind of unnerving that it doesn't even show up when I display all routes.

Assuming I do find out this, I have no idea how to protect things that aren't methods in my controller. Can I protect a whole route?

Another question is that, even if I do restrict the update route, the in place editor fields are rendering for everything. I would imagine that the way to do this would be to create a helper which would render the appropriate version depending on if the user is logged in or not. I am just not sure what I'd be checking against to see if someone's logged in or not, since I've been doing it all in the controller...Also, tips for that: would the partial just render one of 2 versions of a partial depending on the logged in state, or is there another way to do this?

Thanks!

Answer 1

By default Rails includes the following routes:

map.connect ':controller/:action/:id'
map.connect ':controller/:action/:id.:format'

Furthermore, as you probably know, all public controller methods serve as controller actions.

Consider the following controller:

class SampleController < ActionController::Base
  def test
    render :text => "text"
  end
end

So with the default routes, /sample/test will call SampleController#test

Also worth knowing is that in_place_edit_for(object, attribute, options = {}) defines a new method on the controller called set_#{object}_#{attribute}. In your case, this is set_quote_text.

To answer your questions:

• Why doesn't the route show up in rake routes: Almost certainly this is because it's using that default route that I talked about at the beginning. I often times remove these routes so that only routes I explicitly define will be used.
• How can one protect the in_place_edit action?: Now that you know the name of the action you can add it to your list of protected actions. I assume you have something along the lines of before_filter :authentication_required, :only => LIST_OF_ACTIONS_REQUIRING_AUTHENTICATION. Safer than this however is to use except and provide a list of all actions that you do not want to protect: before_filter :authentication_required, :except => LIST_OF_ACTIONS_THAT_DON'T_REQUIRE_AUTHENTICATION

Hopefully that's what you need.