Rails 3: How Does One Restrict Access to IDs

Question

This might be very simple; I don't know Rails very well.

I have a match myController/myAction/myID in my routes.rb that will direct hyperlinks to the proper page (using link_to). But here's the problem: I don't want people to be able to freely modify the id parameter, passing in via the URL whatever they like.

Is there a way to perhaps restrict access to routes to the link_to method only? Or maybe there's another way to go about this, using a passed in hidden variable param or something?

Answer 1

Users access you site via urls like: /controller/action/:id right? A user can change an id and must not view another non authorized resource. How to achieve this?, on your controller, return only those resources that user is allowed to access.

For example, suppose that you are using devise:

class AController < ApplicationController

  def index
    @resouces = current_user.find_all_by_id params[:id]
  end
end

This way if the user tries to access something he does not have access to, he will get an error.

Hope this helps, if not please let me know and I'll try to elaborate.

About current_user, yes it is supposed to be the current logged in user, it doesn't have to be devise, you can implement your own session handling logic and then create a helper method to retrieve the currently logged in user.

About using devise, if you don't want to implement your own session handling logic, plus if you want features like:

• remember me
• already created views that you can fully customize
• authentication
• authorization
• password encryption
• many more (please look at the docs for further information)

Then devise is a good way to go.

Also, it is always a great idea, if possible and as a learning exercise, implement your own authentication and authorization layers, you won't regret.

Best regards

Emmanuel Delgado