diff options
| author | Prem Sichanugrist <s@sikachu.com> | 2011-03-28 03:05:14 +0800 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2011-03-28 04:58:47 +0800 |
| commit | 7cbdfa83035aacb0d4dbfa84525b54e9122efb75 (patch) | |
| tree | 9dea7eb6505377b5360c3447ecc19f6d30e06b2c /actionpack/lib/action_controller | |
| parent | 84aab7aa53e0ec4430df89807aa8220353b2d0c9 (diff) | |
| download | rails-7cbdfa83035aacb0d4dbfa84525b54e9122efb75.tar.gz rails-7cbdfa83035aacb0d4dbfa84525b54e9122efb75.tar.bz2 rails-7cbdfa83035aacb0d4dbfa84525b54e9122efb75.zip | |
Add controller-specific `force_ssl` method to force web browser to use HTTPS protocol
This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action.
This featured was requested by DHH.
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/base.rb | 1 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal/force_ssl.rb | 35 |
2 files changed, 36 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index 81c0698fb8..e6523e56d2 100644 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -198,6 +198,7 @@ module ActionController Cookies, Flash, RequestForgeryProtection, + ForceSSL, Streaming, RecordIdentifier, HttpAuthentication::Basic::ControllerMethods, diff --git a/actionpack/lib/action_controller/metal/force_ssl.rb b/actionpack/lib/action_controller/metal/force_ssl.rb new file mode 100644 index 0000000000..eb8ed7dfbd --- /dev/null +++ b/actionpack/lib/action_controller/metal/force_ssl.rb @@ -0,0 +1,35 @@ +module ActionController + # This module provides a method which will redirects browser to use HTTPS + # protocol. This will ensure that user's sensitive information will be + # transferred safely over the internet. You _should_ always force browser + # to use HTTPS when you're transferring sensitive information such as + # user authentication, account information, or credit card information. + # + # Note that if you really concern about your application safety, you might + # consider using +config.force_ssl+ in your configuration config file instead. + # That will ensure all the data transferred via HTTPS protocol and prevent + # user from getting session hijacked when accessing the site under unsecured + # HTTP protocol. + module ForceSSL + extend ActiveSupport::Concern + include AbstractController::Callbacks + + module ClassMethods + # Force the request to this particular controller or specified actions to be + # under HTTPS protocol. + # + # Note that this method will not be effective on development environment. + # + # ==== Options + # * <tt>only</tt> - The callback should be run only for this action + # * <tt>except<tt> - The callback should be run for all actions except this action + def force_ssl(options = {}) + before_filter(options) do + if !request.ssl? && !Rails.env.development? + redirect_to :protocol => 'https://', :status => :moved_permanently + end + end + end + end + end +end
\ No newline at end of file |