views:

118

answers:

4

I have an application used by several organizations and I want to check that users of one domain (a.domain.com) cannot edit users of another domain (b.domain.com). My question is where to put the logic, in a before filter or in the view?

View:

<% if @user.websites.detect {|website| website.url == request.host} %>
  render :partial => 'form'
<% else %>
  render :partial => 'no_access'
<% end %>

Or, in the controller:

before_filter :verify_editable_user, :only => ['edit', 'update', 'delete']
protected
def verify_editable_user
  @user = User.find(params[:id], :include => 'websites')
  unless @user.websites.detect {|website| website.url == request.host}
    render 'no_access'
  end
end

In this scenario, the first version feels cleaner to me. However, the second seems more along the MVC scenario. What do you think? Am I way off base? Thanks in advance.

A: 

I recommend using the lockdown gem for authorization. (see http://stonean.com/)

The second one is in fact much cleaner.

glebm
A: 

A couple other authorization gems to check out would be CanCan and acl9.

Andy Gaskell
A: 

You shouldn't place logic in your views. Having logic in the controllers and not in the views will actually make your testing easier...

Hock
A: 

I would recommend before_filter and acl9. Also using presenters to get code out of your views and into a testable ruby object

danivovich