Reputation: 98
I am building an app where people are able to create their own pages and access them via a unique URL. There is no standard login with email and password or anything similar. People can decide whether they want to set a password for their page or not. If someone wants to view or edit a page he should be asked to enter a password if there is a password set for that page. If not, he should be able to view or edit the page right away. The only way that came to my mind, to achieve this without a heavy workaround, would be to put the access control right into the view and change its output via if then else.
Now i am wondering if that is good practice or if it could lead to some severe vulnerability issues.
Upvotes: 0
Views: 523
Reputation: 13621
The short answer: No. You wan't to keep the view clean of logic as much as possible. More importantly, it's better to use a restful setup rather than pile more logic into one controller and or model. In this case, we're talking about authenticating a user. Generally checking that a user is logged in against an action is done using a before_filter. So you could use the before_filter on the controller. Use the method passed in to check if the object is protected or not. When that object is protected, check if the user is currently authenticated.
In the before filter, you can then redirect to an alternate action, preferably one you setup to use the password form. I would probably create a separate controller for that. Can call it Sessions, or Authentication, w/e you prefer. Setup a new action for the password form, and setup a create action. The new view would need to contain the page_id in a hidden field of some sort, or you can keep it in the route using nested resources. For example:
resources :pages do
resource :session, :only => [:new, :create]
end
That will create routes like:
/pages/1/session/new
/pages/1/session (POST)
In your create action, you can then setup something like a session store (provided the password is correct). And in your authentication check, simply check for the value of that session store.
Upvotes: 1