Bennington
Reputation: 295
Securing RABL gem (Ruby on Rails)
I'm using rabl gem
show.rabl
object @user
attributes :id, :name, :realname, :email
And i get
{"user":{"id":1,"name":"username","email":"[email protected]"}}
The problem is that anyone can see this info if they open http://website.com/users/user.json link
In my db each user after logging have unique auth_token field.
Question is - I want to see this info only with this link - http://website.com/users/user.json?auth_token=yLrUAxWB2szkvx9jBEGv
Upvotes: 1
Views: 221
Answers (1)
pdu
Reputation: 10413
Create a check or work with some authorization gem like cancan.
Raw example so you can get a grasp (untested, wrote it on the phone...):
class MyController < ApplicationController
before_filter :check_token_if_json
respond_to :html, :json
def show
@user = User.find params[:id]
respond_with(@user)
end
private
def check_token_if_json
if params[:format] == 'json'
raise "Access denied" and return unless params[:token] == 'my_required_token'
end
end
Upvotes: 1