Obvoulsy from the AJAX scaffold, we do not enter ANY controller actions
in the URLs. But how do we prevent the user from doing this?
I know we can add checks to the edit action to ensure that if it called
we can ensure the user is allowed to view/edit the requested record.
(Sections 21.5 & 21.6 in Agile Web Dev)
>
> Any ideas how to prevent the user from entering things like
> http://mysite.com/users/new ?
>
> Obvoulsy from the AJAX scaffold, we do not enter ANY controller
> actions
> in the URLs. But how do we prevent the user from doing this?
If you're using user_engine, you have full control of which users
have which roles which in turn determines which method/controller
pairs they are allowed to call. If you need role-based authorisation,
use a role-based authorisation system, but it's out of scope for ajax-
scaffold to handle, IMHO.
--
Paul Robinson
def new
return redirect_to :action => 'index' if not request.xhr?
.. normal code here...
end
You could do a similar thing to prevent GET calls and allow only POST
calls.
I already have my own full role based authentication built in to the
user model. This prevents access to each controller depending on role.
However this does not prevent a user who has access to a controller
from calling events manually and specifying the id of whatever record
they want to use.
Dr Nic's suggestion of limiting access to Ajax calls takes things a
step further but still is not perfect.
I wonder is there any way to set some sort of flag when the create
new/edit or delete buttons are pressed, then checking for and resetting
this flag in each controller event?
> I wonder is there any way to set some sort of flag when the create
> new/edit or delete buttons are pressed, then checking for and
> resetting
> this flag in each controller event?
Not a way that can easily be spoofed. One way to investigate would be
to look at the referrer, but to be honest I would advise looking at
RBAC at the method level instead of just the controller level.
--
Paul Robinson
/forums/new - valid url entered explicitly
/forums/show/234 - invalid
/forums/show/234?session=234df3234af - valid if params[:session]
matches the same code in the session
This does have the side effect of rending the application useless to
anyone unfortunate enough not to have javascript.
However, there's lots of other Javascript in my application (including
navigation) so without Javascript the app is not usable.
Would be good to check for Javascript during login and prevent login if
Javascript is not present. A quick google on the subject says there is
no way to detect the presence of JS - unless anyone here knows
different?
It's nice to know your app can work at some level without javascript :)
I'm afraid my app won't work at all without javasript as it ususes
javascript controls for navigation. So you will get logged in but not
much further....