tags:

views:

59

answers:

4
Q: 

In my RoR app, a user has many notes. What is the correct way to restrict access to a note to only the user that created it?

At the moment, any logged in user can go to http://localhost:3000/notes/note_id and view the note there. How do I restrict this so that you can only see notes that belong to you? Thanks for reading.

+2  A: 

In the NotesController #show action, redirect or show a permission denied error if the user_id on the note doesn't == the logged in user id.

Another solution is to put this code in a before_filter in the NotesController, since the same validation is performed for the #edit and #delete methods.

Edit: Putting all the suggestions together (Sorry if this has been confusing):

Edit2: Using Veeti's association answer, which I always seem to forget, we can add current_user.notes.find() to the mix. Like he said, your current_user needs to return a User object, and you'll need a has_many :notes in your User model.

class NotesController < ApplicationController
  before_filter :check_ownership, :except => [:new, :create, :index]

  #.. new, create, index, show, edit, delete actions

  private

  def check_ownership
    redirect_to :back unless current_user.notes.find(params[:id])
  end
end
Jon Smock  2010-08-23 02:20:41
@Jon - Thanks for your answer. So I should put the redirect code in every action in the NotesController I imagine?
ben  2010-08-23 02:46:30
You could also use a `before_filter` method to execute that action before every action: `before_filter :check_ownership, :except => [:new, :create, :index]`
unsorted  2010-08-23 04:43:05
@ben No, it's probably best to put it in the before_filter, because you'll have the same code duplicated for some of the other actions (edit, delete). I'll edit my answer; I just wanted to answer your specific question.
Jon Smock  2010-08-23 12:33:59
@Jon Not confusing at all, I should have included that question in the original question. Thanks so much for your help
ben  2010-08-23 12:46:31
A: 

I like using acl9 as an authentication which has a the concept of an object owner. Then you can put in a line like

access_control do
  allow :owner, :of => :note, :to => [:show, :edit, :update]
end

See http://wiki.github.com/be9/acl9/tutorial-securing-a-controller (in particular, step 4) for more details.

If you don't want to use a plugin, Jon's solution makes sense.

unsorted  2010-08-23 04:41:22
I'm not sure why we were downvoted. Here's a +1, because I think your answer was helpful and valid.
Jon Smock  2010-08-23 12:37:37
A: 

The best way to achieve this is using before_filter. You can read about the details, but essentially, it runs a method before the action is called. In this method, you can check to see if the person attempting access to the note actually has permission to do so. Another good thing about this approach is that you can put the method in ApplicationController, lib/, etc, and add the before_filter to whatever controllers or actions need it. Here's a simple example:

application_controller.rb:

class ApplicationController < ActionController:Base

def verify_note_permission
  current_user.id == Note.find(params[:id]).user_id or redirect_to :back
end

notes_controller.rb

class NotesController < ApplicationController
  before_filter :verify_note_permission
  ...
end

This will check to ensure the current user's id matches the ID on the document, or it redirects back to wherever they came from. You could also add flash messages here along with a custom check for permissions implemented in the model. (Probably belongs in the model anyways).

Preston Marshall  2010-08-23 07:04:42
I don't think you should be putting the verify_note_permission method in the ApplicationController. If anything, you should make it protected and pass the note_id as a parameter instead of pulling it directly from params.
Jon Smock  2010-08-23 12:39:36
+2  A: 

Assuming that you have a method called current_user which returns the current User, you could use the Note relationship on the User to only search for a note of theirs with the specified ID, so instead of:

@note = Note.find(params[:id])

do

@note = current_user.notes.find(params[:id])

(Of course, you will need to specify associations in your models.)

Veeti  2010-08-23 12:47:26
+1 This is helpful.
Jon Smock  2010-08-23 12:59:31
You'll have to duplicate the code for each controller action. Using the before_filter avoids code duplication. Using the except will make sure that each new action is protected by default.
David  2010-08-23 14:20:09
Nothing prevents you from using a `before_Filter` with this method - in fact, I never said that you shouldn't use one.
Veeti  2010-08-23 14:30:20

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.