tags:

views:

55

answers:

3
+1  Q: 

What is is the best way to manage edit/destroy/new links with authentication?

I'm new to Rails and I'm trying to create a standard CRUD rails application for displaying text posts. It's pretty similar to blog where I would like authenticated users to be able to edit and destroy posts while visitors to the site can just see and browse the existing posts.

I would like to know what is the best way to manage this. So far I've been using two controllers the first has a before_filter so that each route requires authentication and the associated views have edit/destroy/new links. The second controller has no authentication filter and the views don't have links to edit or destroy the posts.

This solution works, but I don't think it's very DRY. I have a feeling that if stick with this situation things will get more and more complicated as I add more functionality. Is there a better way to manage this? I'm sure it must be common problem.

+1  A: 

Ryan talks about this problem (RY by having admin controllers and regular user controllers) and a better solution in Railscast #19.

As an aside, I hope your second controller (the one without an authorization before_filter) doesn't have update or destroy actions. Even if you don't have the links in your view an unscrupulous person could create a request that would mess with your data.

Jason Punyon  2009-11-03 21:35:31
Thank you for this link it really helped me understand the difference between authentication and authorization. I had never heard of this before.
Michael Barton  2009-11-05 11:05:54
@Michael Barton: No problem...always happy to help. :)
Jason Punyon  2009-11-05 12:15:33
+2  A: 

You should give lockdown a try: http://stonean.com/page/lockdown

Lockdown is an authorization system for RubyOnRails (ver 2.x). It is designed to handle a simple public vs private configuration to very fine grained access controls.

Kieran Hayes  2009-11-03 22:23:44
Thanks. I looked at this then followed links to padlock and acl9. I think these sort of libraries are exactly what I'm looking for.
Michael Barton  2009-11-05 11:06:44
+1  A: 

I use role_requirement to control user access to given controller methods via "admin" and "user" roles. I use a hand rolled lib to make sure that a given user has permission to access/manipulate specific data. So for example, if you don't "own" a certain post (say #3), yet you try to drop its ID in /posts/destroy/3, you will get shut out.

cgr  2009-11-04 05:01:54

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.