Rails%203%20In%20Action

More documents

Recommendations

Info

8.4 Blocking access to tickets Blocking access to tickets When implementing permissions, you have to be careful to ensure that all users who should have access to something do, and all users who shouldn’t have access to something don’t. All of the TicketsController’s actions are still available to all users because it has no permission checking. If you leave it in that state, users who are unable to see the project can still make requests to the actions inside Tickets- Controller. They shouldn’t be able to do anything to the tickets in a project if they don’t have permission to view tickets for it. Let’s implement permission checking to remedy this problem. 8.4.1 Locking out the bad guys To prevent users from seeing tickets in a project they’re unauthorized to see, you must lock down the show action of TicketsController. To test that when you put this restriction in place, it’s correct, write a spec in the spec/controllers/tickets_controller_spec.rb file, just as you did for the Projects- Controller. This file should now look like the following listing. Listing 8.5 spec/controllers/tickets_controller_spec.rb require 'spec_helper' describe TicketsController do let(:user) { create_user! } let(:project) { Factory(:project) } let(:ticket) { Factory(:ticket, :project => project, :user => user) } context "standard users" do it "cannot access a ticket for a project" do sign_in(:user, user) get :show, :id => ticket.id, :project_id => project.id response.should redirect_to(root_path) flash[:alert].should eql("The project you were looking for could not be found.") end end end This test sets up a project, a ticket, and a user who has no explicit permission to view the project and therefore shouldn’t be able to view the ticket. You test this spec by signing in as the unauthorized user and trying to go to the show action for this ticket, which requires you to pass through a project_id to help it find what project the ticket is in. The test should pass if the user is redirected to the root_path and if, upon the user seeing the flash[:alert], the application denies all knowledge of this project ever having existed. When you run this test using bin/rspec spec/controllers/tickets_controller _spec.rb, you see the ticket factory is undefined: No such factory: ticket (ArgumentError) 183
184 CHAPTER 8 More authorization Define this factory now in a new file called factories/ticket_factory.rb. This file will be automatically loaded by the code in spec/support/factories.rb: Factory.define :ticket do |ticket| ticket.title "A ticket" ticket.description "A ticket, nothing more" ticket.user { |u| u.association(:user) } ticket.project { |p| p.association(:project) } end Here you set up some defaults for the title and description fields for a factoryprovided ticket, but you do something new with the user method. You pass a block and call the association method on the object returned from the block, and the user for this ticket becomes one user factory-created object. Nifty. You do the same thing for the project method, so you can create tickets using this factory and have them related to a project automatically if you want. For this spec, however, you override it. When you run bin/rspec spec/controllers/tickets_controller_spec.rb again, this test fails because the user can still access this action: TicketsController standard users cannot access a ticket for a project Failure/Error: response.should redirect_to(root_path) With this test failing correctly, you can work on restricting the access to only the projects the user has access to. Open app/controllers/tickets_controller.rb and remove the :except option from the authenticate_user! filter, so it goes from this before_filter :authenticate_user!, :except => [:index, :show] to this: before_filter :authenticate_user! Now users should always be asked to sign in before accessing the index and show actions for this controller, meaning that current_user will always return a User object. You can reference the current_user method in find_project and use the for method to limit the project find scope to only the projects to which that user has access. You can change the find_project method to the following example: def find_project @project = Project.for(current_user).find(params[:project_id]) rescue ActiveRecord::RecordNotFound flash[:alert] = "The project you were looking for could not be found." redirect_to root_path end The rewritten find_project method will retrieve a Project only if the current_user has permission to view that project or is an admin. Otherwise, an ActiveRecord ::RecordNotFound exception will be thrown and rescued here, showing users “The project you were looking for could not be found.”
Page 1 and 2:
IN ACTION Ryan Bigg Yehuda Katz MAN
Page 4 and 5:
Rails 3 in Action RYAN BIGG YEHUDA
Page 6:
1 ■ Ruby on Rails, the framework
Page 9 and 10:
viii 3 4 5 6 CONTENTS Developing a
Page 11 and 12:
x 9 10 CONTENTS 8.5 Restricting wri
Page 13 and 14:
xii 13 14 CONTENTS 12.2 Subscribing
Page 15 and 16:
xiv 18 CONTENTS 17.4 Setting up a t
Page 17 and 18:
xvi PREFACE cover. It also takes a
Page 19 and 20:
xviii ACKNOWLEDGMENTS gnarly ePub R
Page 21 and 22:
xx about this book Ruby on Rails is
Page 23 and 24:
xxii ABOUT THIS BOOK By chapter 16,
Page 25 and 26:
about the cover illustration The fi
Page 27 and 28:
2 CHAPTER 1 Ruby on Rails, the fram
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
10 CHAPTER 1 Ruby on Rails, the fra
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
24 CHAPTER 2 Testing saves your bac
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
This chapter covers � Building th
Page 71 and 72:
46 CHAPTER 3 Developing a real Rail
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
84 CHAPTER 4 Oh CRUD! 4.1.1 Writing
Page 111 and 112:
86 CHAPTER 4 Oh CRUD! Aha! You’re
Page 113 and 114:
88 CHAPTER 4 Oh CRUD! 4.2 Editing p
Page 115 and 116:
90 CHAPTER 4 Oh CRUD! 4.2.2 The upd
Page 117 and 118:
92 CHAPTER 4 Oh CRUD! 4.3.1 Writing
Page 119 and 120:
94 CHAPTER 4 Oh CRUD! Figure 4.1 Ac
Page 121 and 122:
96 CHAPTER 4 Oh CRUD! F When the te
Page 123 and 124:
98 CHAPTER 4 Oh CRUD! functionality
Page 125 and 126:
100 CHAPTER 5 Nested resources New
Page 127 and 128:
102 CHAPTER 5 Nested resources an e
Page 129 and 130:
104 CHAPTER 5 Nested resources 5.1.
Page 131 and 132:
106 CHAPTER 5 Nested resources Then
Page 133 and 134:
108 CHAPTER 5 Nested resources Grea
Page 135 and 136:
110 CHAPTER 5 Nested resources see
Page 137 and 138:
112 CHAPTER 5 Nested resources The
Page 139 and 140:
114 CHAPTER 5 Nested resources Agai
Page 141 and 142:
116 CHAPTER 5 Nested resources show
Page 143 and 144:
118 CHAPTER 6 Authentication and ba
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158: 132 CHAPTER 6 Authentication and ba
Page 159 and 160: 134 CHAPTER 6 Authentication and ba
Page 161 and 162: This chapter covers � Adding an a
Page 163 and 164: 138 CHAPTER 7 Basic access control
Page 189 and 190: This chapter covers � Expanding w
Page 191 and 192: 166 CHAPTER 8 More authorization Un
Page 193 and 194: 168 CHAPTER 8 More authorization pe
Page 195 and 196: 170 CHAPTER 8 More authorization Th
Page 197 and 198: 172 CHAPTER 8 More authorization ..
Page 201 and 202: 176 CHAPTER 8 More authorization 8.
Page 203 and 204: 178 CHAPTER 8 More authorization Re
Page 205 and 206: 180 CHAPTER 8 More authorization Cr
Page 207: 182 CHAPTER 8 More authorization Th
Page 211 and 212: 186 CHAPTER 8 More authorization De
Page 213 and 214: 188 CHAPTER 8 More authorization To
Page 219 and 220: 194 CHAPTER 8 More authorization Yo
Page 221 and 222: 196 CHAPTER 8 More authorization cu
Page 223 and 224: 198 CHAPTER 8 More authorization
Page 227 and 228: 202 CHAPTER 8 More authorization Li
Page 229 and 230: 204 CHAPTER 8 More authorization
Page 231 and 232: 206 CHAPTER 8 More authorization Si
Page 233 and 234: 208 CHAPTER 8 More authorization Li
Page 237 and 238: 212 CHAPTER 8 More authorization 45
Page 239 and 240: 214 CHAPTER 9 File uploading By pro
Page 241 and 242: 216 CHAPTER 9 File uploading that t
Page 243 and 244: 218 CHAPTER 9 File uploading remove
Page 245 and 246: 220 CHAPTER 9 File uploading This f
Page 247 and 248: 222 CHAPTER 9 File uploading asset
Page 249 and 250: 224 CHAPTER 9 File uploading 9.2.2
Page 251 and 252: 226 CHAPTER 9 File uploading you ha
Page 253 and 254: 228 CHAPTER 9 File uploading sign_i
Page 255 and 256: 230 CHAPTER 9 File uploading When y
Page 257 and 258: 232 CHAPTER 9 File uploading You co
Page 259 and 260:
234 CHAPTER 9 File uploading The /a
Page 261 and 262:
236 CHAPTER 9 File uploading When y
Page 263 and 264:
238 CHAPTER 9 File uploading Open a
Page 265 and 266:
240 CHAPTER 9 File uploading This i
Page 267 and 268:
242 CHAPTER 9 File uploading After
Page 269 and 270:
244 CHAPTER 10 Tracking state used,
Page 271 and 272:
246 CHAPTER 10 Tracking state group
Page 273 and 274:
248 CHAPTER 10 Tracking state Listi
Page 275 and 276:
250 CHAPTER 10 Tracking state end @
Page 277 and 278:
252 CHAPTER 10 Tracking state With
Page 279 and 280:
254 CHAPTER 10 Tracking state which
Page 281 and 282:
256 CHAPTER 10 Tracking state The f
Page 283 and 284:
258 CHAPTER 10 Tracking state class
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
264 CHAPTER 10 Tracking state Good,
Page 291 and 292:
266 CHAPTER 10 Tracking state You c
Page 293 and 294:
268 CHAPTER 10 Tracking state You h
Page 295 and 296:
270 CHAPTER 10 Tracking state You
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
276 CHAPTER 10 Tracking state def m
Page 303 and 304:
278 CHAPTER 10 Tracking state 10.5
Page 305 and 306:
280 CHAPTER 10 Tracking state 33 of
Page 307 and 308:
282 CHAPTER 10 Tracking state 10.5.
Page 309 and 310:
284 CHAPTER 10 Tracking state it "c
Page 311 and 312:
This chapter covers � Tagging spe
Page 313 and 314:
288 CHAPTER 11 Tagging And I press
Page 315 and 316:
290 CHAPTER 11 Tagging To define th
Page 317 and 318:
292 CHAPTER 11 Tagging 11.2 Adding
Page 319 and 320:
294 CHAPTER 11 Tagging 11.2.2 Fixin
Page 321 and 322:
296 CHAPTER 11 Tagging Because the
Page 323 and 324:
298 CHAPTER 11 Tagging ment from th
Page 325 and 326:
300 CHAPTER 11 Tagging true, :url
Page 327 and 328:
302 CHAPTER 11 Tagging get there pr
Page 329 and 330:
304 CHAPTER 11 Tagging And I follow
Page 331 and 332:
306 CHAPTER 11 Tagging The :from op
Page 333 and 334:
308 CHAPTER 11 Tagging This is beca
Page 335 and 336:
310 CHAPTER 11 Tagging into this:
Page 337 and 338:
This chapter covers � Sending ema
Page 339 and 340:
314 CHAPTER 12 Sending email To tes
Page 341 and 342:
316 CHAPTER 12 Sending email Let’
Page 343 and 344:
318 CHAPTER 12 Sending email Now th
Page 345 and 346:
320 CHAPTER 12 Sending email the em
Page 347 and 348:
322 CHAPTER 12 Sending email Great
Page 349 and 350:
324 CHAPTER 12 Sending email messag
Page 351 and 352:
326 CHAPTER 12 Sending email A B cr
Page 353 and 354:
328 CHAPTER 12 Sending email Next,
Page 355 and 356:
330 CHAPTER 12 Sending email As usu
Page 357 and 358:
332 CHAPTER 12 Sending email When y
Page 359 and 360:
334 CHAPTER 12 Sending email applic
Page 361 and 362:
336 CHAPTER 12 Sending email Listin
Page 363 and 364:
338 CHAPTER 12 Sending email To ins
Page 365 and 366:
340 CHAPTER 12 Sending email 12.4 R
Page 367 and 368:
342 CHAPTER 12 Sending email 12.4.2
Page 369 and 370:
344 CHAPTER 12 Sending email When y
Page 371 and 372:
346 CHAPTER 12 Sending email By sen
Page 373 and 374:
348 CHAPTER 13 Designing an API One
Page 375 and 376:
350 CHAPTER 13 Designing an API cri
Page 377 and 378:
352 CHAPTER 13 Designing an API RSp
Page 379 and 380:
354 CHAPTER 13 Designing an API ] }
Page 381 and 382:
356 CHAPTER 13 Designing an API In
Page 383 and 384:
358 CHAPTER 13 Designing an API Boo
Page 385 and 386:
360 CHAPTER 13 Designing an API 13.
Page 387 and 388:
362 CHAPTER 13 Designing an API Thi
Page 389 and 390:
364 CHAPTER 13 Designing an API err
Page 391 and 392:
366 CHAPTER 13 Designing an API To
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
372 CHAPTER 13 Designing an API @pr
Page 399 and 400:
374 CHAPTER 13 Designing an API The
Page 401 and 402:
376 CHAPTER 13 Designing an API Lis
Page 403 and 404:
378 CHAPTER 13 Designing an API You
Page 405 and 406:
Page 407 and 408:
382 CHAPTER 13 Designing an API you
Page 409 and 410:
384 CHAPTER 13 Designing an API git
Page 411 and 412:
386 CHAPTER 14 Deployment done. Thi
Page 413 and 414:
388 CHAPTER 14 Deployment useradd -
Page 415 and 416:
390 CHAPTER 14 Deployment rvm group
Page 417 and 418:
392 CHAPTER 14 Deployment To be as
Page 419 and 420:
394 CHAPTER 14 Deployment service s
Page 421 and 422:
396 CHAPTER 14 Deployment 14.5.1 De
Page 423 and 424:
398 CHAPTER 14 Deployment The final
Page 425 and 426:
400 CHAPTER 14 Deployment With the
Page 427 and 428:
402 CHAPTER 14 Deployment executing
Page 429 and 430:
404 CHAPTER 14 Deployment The first
Page 431 and 432:
406 CHAPTER 14 Deployment You can e
Page 433 and 434:
408 CHAPTER 14 Deployment Once Rail
Page 435 and 436:
410 CHAPTER 14 Deployment This mean
Page 437 and 438:
This chapter covers � Authenticat
Page 439 and 440:
414 CHAPTER 15 Alternative authenti
Page 441 and 442:
Page 443 and 444:
Page 445 and 446:
Page 447 and 448:
Page 449 and 450:
Page 451 and 452:
Page 453 and 454:
Page 455 and 456:
Page 457 and 458:
Page 459 and 460:
This chapter covers � Implementin
Page 461 and 462:
436 CHAPTER 16 Basic performance en
Page 463 and 464:
Page 465 and 466:
Page 467 and 468:
Page 469 and 470:
Page 471 and 472:
Page 473 and 474:
Page 475 and 476:
Page 477 and 478:
Page 479 and 480:
Page 481 and 482:
Page 483 and 484:
Page 485 and 486:
Page 487 and 488:
Page 489 and 490:
Page 491 and 492:
Page 493 and 494:
This chapter covers � The importa
Page 495 and 496:
470 CHAPTER 17 Engines copy over as
Page 497 and 498:
472 CHAPTER 17 Engines With that sa
Page 499 and 500:
474 CHAPTER 17 Engines Obviously, y
Page 501 and 502:
476 CHAPTER 17 Engines This file’
Page 503 and 504:
478 CHAPTER 17 Engines 2. Goes thro
Page 505 and 506:
480 CHAPTER 17 Engines This is real
Page 507 and 508:
482 CHAPTER 17 Engines s.add_develo
Page 509 and 510:
484 CHAPTER 17 Engines The click_li
Page 511 and 512:
486 CHAPTER 17 Engines This code ha
Page 513 and 514:
488 CHAPTER 17 Engines You’re mis
Page 515 and 516:
490 CHAPTER 17 Engines NOTE We’re
Page 517 and 518:
492 CHAPTER 17 Engines 17.5.8 Showi
Page 519 and 520:
494 CHAPTER 17 Engines Listing 17.9
Page 521 and 522:
496 CHAPTER 17 Engines Note that th
Page 523 and 524:
498 CHAPTER 17 Engines your applica
Page 525 and 526:
500 CHAPTER 17 Engines 17.7.2 A fak
Page 527 and 528:
502 CHAPTER 17 Engines forem_user;
Page 529 and 530:
504 CHAPTER 17 Engines You don’t
Page 531 and 532:
506 CHAPTER 17 Engines This is the
Page 533 and 534:
508 CHAPTER 17 Engines Because you
Page 535 and 536:
510 CHAPTER 17 Engines Listing 17.1
Page 537 and 538:
512 CHAPTER 17 Engines 17.8 Releasi
Page 539 and 540:
514 CHAPTER 17 Engines This task ac
Page 541 and 542:
This chapter covers � Building a
Page 543 and 544:
518 CHAPTER 18 Rack-based applicati
Page 545 and 546:
Page 547 and 548:
Page 549 and 550:
Page 551 and 552:
Page 553 and 554:
Page 555 and 556:
Page 557 and 558:
Page 559 and 560:
Page 561 and 562:
Page 563 and 564:
Page 565 and 566:
Page 567 and 568:
542 APPENDIX A Why Rails? it helps
Page 569 and 570:
544 APPENDIX A Why Rails? with thei
Page 571 and 572:
546 appendix B Tidbits This appendi
Page 573 and 574:
548 APPENDIX B Tidbits You should g
Page 576 and 577:
Special characters and numbers $ fu
Page 578 and 579:
authentication (continued) OAuth, 4
Page 580 and 581:
CSRF (cross-site request forgery) a
Page 582 and 583:
find_or_create_for_twitter method,
Page 584 and 585:
last_post method, 510 last_ticket m
Page 586 and 587:
Project.for method, 531 projects, 5
Page 588 and 589:
searching by state, 305-309 testing
Page 590 and 591:
toggle_watching_button method, 330
Page 592:
WEB DEVELOPMENT/RUBY R ails Rails 3
show all

Rails%203%20In%20Action

Create successful ePaper yourself

Delete template?

Save as template?