diff options
| author | Vijay Dev <vijaydev.cse@gmail.com> | 2011-03-31 16:34:07 +0530 |
|---|---|---|
| committer | Vijay Dev <vijaydev.cse@gmail.com> | 2011-03-31 16:34:07 +0530 |
| commit | 4c76f6894889e8e3f5cc3722d928954c79422542 (patch) | |
| tree | dd1d4b630eaea7a74faabcf0cea41bf740ce8330 /railties/guides/source/getting_started.textile | |
| parent | 910a8d22460a8b8e67a16441dadb87cc12ab7a4a (diff) | |
| parent | f44d85a030f6e22421b26f0d5a0c869fae3efe5f (diff) | |
| download | rails-4c76f6894889e8e3f5cc3722d928954c79422542.tar.gz rails-4c76f6894889e8e3f5cc3722d928954c79422542.tar.bz2 rails-4c76f6894889e8e3f5cc3722d928954c79422542.zip | |
Merge branch 'master' of github.com:lifo/docrails
Diffstat (limited to 'railties/guides/source/getting_started.textile')
| -rw-r--r-- | railties/guides/source/getting_started.textile | 27 |
1 files changed, 5 insertions, 22 deletions
diff --git a/railties/guides/source/getting_started.textile b/railties/guides/source/getting_started.textile index 0661549644..1122a4b9e3 100644 --- a/railties/guides/source/getting_started.textile +++ b/railties/guides/source/getting_started.textile @@ -1201,33 +1201,16 @@ h3. Security If you were to publish your blog online, anybody would be able to add, edit and delete posts or delete comments. -Rails provides a very simple HTTP authentication system that will work nicely in this situation. First, we enable simple HTTP based authentication in our <tt>app/controllers/application_controller.rb</tt>: +Rails provides a very simple HTTP authentication system that will work nicely in this situation. -<ruby> -class ApplicationController < ActionController::Base - protect_from_forgery - - private - - def authenticate - authenticate_or_request_with_http_basic do |user_name, password| - user_name == 'admin' && password == 'password' - end - end - -end -</ruby> - -You can obviously change the username and password to whatever you want. We put this method inside of +ApplicationController+ so that it is available to all of our controllers. - -Then in the +PostsController+ we need to have a way to block access to the various actions if the person is not authenticated, here we can use the Rails <tt>before_filter</tt> method, which allows us to specify that Rails must run a method and only then allow access to the requested action if that method allows it. +In the +PostsController+ we need to have a way to block access to the various actions if the person is not authenticated, here we can use the Rails <tt>http_basic_authenticate_with</tt> method, allowing access to the requested action if that method allows it. -To use the before filter, we specify it at the top of our +PostsController+, in this case, we want the user to be authenticated on every action, except for +index+ and +show+, so we write that: +To use the authentication system, we specify it at the top of our +PostsController+, in this case, we want the user to be authenticated on every action, except for +index+ and +show+, so we write that: <ruby> class PostsController < ApplicationController - before_filter :authenticate, :except => [:index, :show] + http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index # GET /posts # GET /posts.xml @@ -1242,7 +1225,7 @@ We also only want to allow authenticated users to delete comments, so in the +Co <ruby> class CommentsController < ApplicationController - before_filter :authenticate, :only => :destroy + http_basic_authenticate_with :name => "dhh", :password => "secret", :only => :destroy def create @post = Post.find(params[:post_id]) |