How do I restrict access to one action of a controller using a token in the URL - Rails 3?
Question
I setup my controller to allow exceptions in the filter for a specific token in the URL.
For all intents and purposes of this demo the token is the character 'a'.
But now, when I go to the URL for that action, eg stage/7/compare and am not logged in, I can see it....how do I set i up so that if the token param isn't in the URL, it sends the user to login, but if it is allows them to see it without logging in (eg stages/7/compare?token=a ) ?
This is what my Stages Controller looks like:
class StagesController < ApplicationController
before_filter :check_token, :only => [:show]
before_filter :authenticate_user!, :except => [:compare]
filter_access_to :all
def show
@stage = Stage.find(params[:id])
render :layout => 'comparison'
title = @stage.name
#@upload = Upload.find(params[:id])
# respond_to do |format|
# format.html # show.html.erb
# format.xml { render :xml => @stage }
# end
end
def compare
@stage = Stage.find(params[:id])
title = @stage.name
end
private
def check_token
stage = Stage.find(params[:id])
redirect_to(params[:token] == "a" ? compare_stage_path(stage) : root_path)
end
end
Edit1: If I change the :check_token to :only [:compare] this is what my log does:
Started GET "/stages/7/compare" for 127.0.0.1 at 2011-03-30 18:45:05 -0500
Processing by StagesController#compare as HTML
Parameters: {"id"=>"7"}
User Load (1.9ms) SELECT "users".* FROM "users" WHERE ("users"."id" = 1) LIMIT 1
#<User id: 1, email: "test@abc.com", encrypted_password: "$2a$10$qUbNGm6lZ366jRiE0vK0gOpxbGXD5JmfqWmH1lfLlCEC...", password_salt: "$2a$10$qUbNGm6lZ366jRiE0vK0gO", reset_password_token: nil, remember_token: nil, remember_created_at: nil, sign_in_count: 251, current_sign_in_at: "2011-03-30 23:28:18", last_sign_in_at: "2011-03-30 21:57:13", current_sign_in_ip: "127.0.0.1", last_sign_in_ip: "127.0.0.1", username: "test", f_name: "Test", l_name: "User", created_at: "2011-01-22 07:17:45", updated_at: "2011-03-30 23:28:18", invitation_token: nil, invitation_sent_at: nil, plan_id: 3, current_state: nil, confirmation_token: nil, confirmed_at: "2011-02-11 23:19:15", confirmation_sent_at: "2011-02-11 23:18:20">
Stage Load (0.3ms) SELECT "stages".* FROM "stages" WHERE ("stages"."id" = 7) LIMIT 1
Redirected to http://localhost:3000/
Completed 302 Found in 190ms
ie it redirects to my root_path.
2 answers
solution1
2 2011-03-30 22:52:10
您的问题询问您的compare操作,但您的before_filter设置为仅对show动作进行操作。
before_filter :check_token, :only => [:compare]
solution2
0 ACCPTED 2011-03-31 07:24:46
This code fixes the issue:
class StagesController < ApplicationController
before_filter :check_token_or_user, :only => :compare
before_filter :authenticate_user!, :only => :show
def show
@stage = Stage.find(params[:id])
render :layout => 'comparison'
end
def compare
@stage = Stage.find(params[:id])
end
private
def check_token_or_user
if !user_signed_in && params[:token].blank?
redirect_or_someting
elsif !user.signed_in && params[:token].present? && params[:token] == "a"
# do nothing, they can view the page
elsif user_signed_in?
# do nothing, they can view the page
end
end
end
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.