Rails guides - getting started - section 10 security

ruby-talk
1

The example doesn't work as described for me; not sure if I haven't
followed it right, or there's a problem with the code. Can someone
help me to determine what the problem is.

Specifically, after adding the authentication code to the
PostsController, with this line:

before_filter :authenticate, :except => [:index, :show]

The guide says that "we want the user to be authenticated on every
action, except for index and show", however, it only authenticates on
the new post and edit options; it doesn't authenticate on destroy.

Sincere thanks in advance to anyone who can help shed light on this
issue! :slight_smile:

Here's my code:

···

----------------------------------------------------------------------------------------------

class ApplicationController < ActionController::Base
  protect_from_forgery
  private

  def authenticate
    authenticate_or_request_with_http_basic do |user_name, password|
      user_name == 'admin' && password == 'password'
    end
  end
end

----------------------------------------------------------------------------------------------
class PostsController < ApplicationController

  before_filter :authenticate, :except => [:index, :show]

  # GET /posts
  # GET /posts.xml
  def index
    @posts = Post.all

    respond_to do |format|
      format.html # index.html.erb
      format.xml { render :xml => @posts }
    end
  end

  # GET /posts/1
  # GET /posts/1.xml
  def show
    @post = Post.find(params[:id])

    respond_to do |format|
      format.html # show.html.erb
      format.xml { render :xml => @post }
    end
  end

  # GET /posts/new
  # GET /posts/new.xml
  def new
    @post = Post.new

    respond_to do |format|
      format.html # new.html.erb
      format.xml { render :xml => @post }
    end
  end

  # GET /posts/1/edit
  def edit
    @post = Post.find(params[:id])
  end

  # POST /posts
  # POST /posts.xml
  def create
    @post = Post.new(params[:post])

    respond_to do |format|
      if @post.save
        format.html { redirect_to(@post, :notice => 'Post was
successfully created.') }
        format.xml { render :xml => @post, :status
=> :created, :location => @post }
      else
        format.html { render :action => "new" }
        format.xml { render :xml => @post.errors, :status
=> :unprocessable_entity }
      end
    end
  end

  # PUT /posts/1
  # PUT /posts/1.xml
  def update
    @post = Post.find(params[:id])

    respond_to do |format|
      if @post.update_attributes(params[:post])
        format.html { redirect_to(@post, :notice => 'Post was
successfully updated.') }
        format.xml { head :ok }
      else
        format.html { render :action => "edit" }
        format.xml { render :xml => @post.errors, :status
=> :unprocessable_entity }
      end
    end
  end

  # DELETE /posts/1
  # DELETE /posts/1.xml
  def destroy
    @post = Post.find(params[:id])
    @post.destroy

    respond_to do |format|
      format.html { redirect_to(posts_url) }
      format.xml { head :ok }
    end
  end
end

2

rails != ruby

···

--
Posted via http://www.ruby-forum.com/.