Reputation: 6546
how to secure JSON output in rails while still giving access to normal webpage
I am a bit confused on this. I am a bit new to rails API's. When a user visits www.example.com/products - he should still be able to view the normal webpage, but if he requests www.example.com/products.json, he should authenticate with a token, otherwise it should be denied access. in a normal rails app, we can either GET /pins or /pins.JSON by default like below:
But what if I want to authenticate only GET /pins.JSON or anything for that matter something.JSON ? is this possible somehow?
I did have a look at rails_api gem to some tutorials suggest creating rails app with rails_api, which creates the entire app as an API without normal webpage access.
Can anyone please suggest if its possible the way I want?
class PinsController < ApplicationController
before_action :set_pin, only: [:show, :edit, :update, :destroy]
before_action :authenticate_user! , except: [:index, :show]
before_action :correct_user , only: [:edit, :udpate, :destroy]
# GET /pins
# GET /pins.json
def index
@pins = Pin.all.order("created_at DESC").paginate(:page => params[:page])
end
def show
end
def new
@pin = current_user.pins.build
end
def edit
end
# POST /pins
# POST /pins.json
def create
@pin = current_user.pins.build(pin_params)
respond_to do |format|
if @pin.save
format.html { redirect_to @pin, notice: 'Pin was successfully created.' }
format.json { render :show, status: :created, location: @pin }
else
format.html { render :new }
format.json { render json: @pin.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /pins/1
# PATCH/PUT /pins/1.json
def update
respond_to do |format|
if @pin.update(pin_params)
format.html { redirect_to @pin, notice: 'Pin was successfully updated.' }
format.json { render :show, status: :ok, location: @pin }
else
format.html { render :edit }
format.json { render json: @pin.errors, status: :unprocessable_entity }
end
end
end
# DELETE /pins/1
# DELETE /pins/1.json
def destroy
@pin.destroy
respond_to do |format|
format.html { redirect_to pins_url, notice: 'Pin was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_pin
@pin = Pin.find(params[:id])
end
def correct_user
@pin = current_user.pins.find_by(id: params[:id])
redirect_to pins_path, notice: "Not authorized to edit this pin" if @pin.nil?
end
# Never trust parameters from the scary internet, only allow the white list through.
def pin_params
params.require(:pin).permit(:description, :image)
end
end
Upvotes: 0
Views: 58
Answers (1)
Reputation: 4523
the simplest way is to create a before_filter :authenticate_json and there enforce authentication in case json is requested
before_filter :authenticate_json
def authenticate_json
if request.path_parameters[:format] == 'json'
authenticate!
end
end
Upvotes: 1
Related Questions
- How to "pretty" format JSON output
- How store an image from URL with Active Storage
- Rails Dot in Url with two routes for one controller
- Getting "First argument in form cannot contain nil or be empty" error
- Agile Web Development Smarter Card Nil problems
- action mailer for rails 4
- RoR - New update action
- NoMethodError in PinsController#index, undefined method `to_a' for #<Class:0x0000010150ec98>
- link_to :action => 'create' going to index rather than 'create'
- ruby on rails has_many relation form validation of children