Scoala
Reputation: 150
protect urls in rails
I have some pages in a rails website that can be accessed only by user and admin, I am hiding them from the public inside the views with user_signed_in?.
the problem is that when you copy and paste the url of the page when not logged in you can still access them.
I imagine its something I need to add in the controller of those pages.
Any help would be great as I am still learning rails.
for example i would like to protect this controller
class DailiesController < ApplicationController
before_filter :authenticate_admin!, except: [:index, :show]
before_action :set_daily, only: [:show, :edit, :update, :destroy]
# GET /dailies
# GET /dailies.json
def index
@dailies = Daily.order("created_at desc")
end
# GET /dailies/1
# GET /dailies/1.json
def show
end
# GET /dailies/new
def new
@daily = current_admin.dailies.new
end
# GET /dailies/1/edit
def edit
@daily = current_admin.dailies.find(params[:id])
end
# POST /dailies
# POST /dailies.json
def create
@daily = current_admin.dailies.new(daily_params)
respond_to do |format|
if @daily.save
format.html { redirect_to @daily, notice: 'Post was successfully created.' }
format.json { render action: 'show', status: :created, location: @daily }
else
format.html { render action: 'new' }
format.json { render json: @daily.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /dailies/1
# PATCH/PUT /dailies/1.json
def update
@daily = current_admin.dailies.find(params[:id])
respond_to do |format|
if @daily.update(daily_params)
format.html { redirect_to @daily, notice: 'daily was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: 'edit' }
format.json { render json: @daily.errors, status: :unprocessable_entity }
end
end
end
# DELETE /dailies/1
# DELETE /dailies/1.json
def destroy
@daily = current_admin.dailies.find(params[:id])
@daily.destroy
respond_to do |format|
format.html { redirect_to dailies_url }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_daily
@daily = Daily.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def daily_params
params.require(:daily).permit(:description, :image)
end
end
Upvotes: 0
Views: 317
Answers (1)
avinodra
Reputation: 102
have you already created a method called authenticate_admin?
you can try something like this
before_action :has_access?
def has_access?
redirect_to root_path unless user_signed_in? && current_user.admin?
end
Upvotes: 1
Related Questions
- How to protect against tampering with the URL in Rails
- Ruby - Allowed/restrict Url access
- Rails - How to prevent direct URL access to a method
- Url security trouble
- Hiding urls in a Rails 3 application
- Preventing direct URL access to Rails Controller Methods
- Restricting url manipulation to return other user records
- Rails Secret URLs
- How do I deny access to a specific URL in my rails app?