korywka
Reputation: 7653
In what controller's action better to check users rights?
In 'new' or 'create'? In 'edit' or 'update'?
I check with this line:
correct_user(@car.user) if not current_user.admin?
where
def correct_user(user)
redirect_to root_path if current_user != user
end
Upvotes: 0
Views: 76
Answers (2)
gmalette
Reputation: 2459
In every single place a user cannot access if he doesn't have the permissions.
I would structure the code so that you don't have to write it in the action:
before_filter :load_car, :redirect_unless_correct_user!, :except => :index
protected
def load_car
@car = Car.find(params[:car_id])
end
def redirect_unless_correct_user!
redirect_to(root_path) unless (current_user == @car.user) || user.admin?
end
Upvotes: 1
xdazz
Reputation: 160833
If these actions all need the admin right, you'd better use a before filter.
before_filter :correct_user, :only => [:new, :create, :edit, :update]
Upvotes: 2
Related Questions
- Where to handle user rights: in view, model or controller?
- Controller Best Practice
- With an authenticated Ruby on Rails site, which action best maps to the sites index page?
- Rails: optimizing a controller action (security checking)
- When to add method to application_controller.rb
- Rails 3 permissions?
- Best way to check user's permission by id?
- Best way to do permissions checks in controllers.
- Rails authorization? check in Model vs controller
- Where to put user access controls? The controller or the model?