diff options
| author | ozzyaaron <aaron@thefrontiergroup.com.au> | 2011-03-29 11:23:20 +0800 |
|---|---|---|
| committer | ozzyaaron <aaron@thefrontiergroup.com.au> | 2011-03-29 11:23:20 +0800 |
| commit | 837f0ab5c8595609ec31cf885dbe04f0caa15ce0 (patch) | |
| tree | 2ed015359e57e7b42ce377626b88e93aa956f1ff /railties/guides/source/getting_started.textile | |
| parent | d5dc02b5e88324bdbd274a5008a1d6b7a2f6f9d7 (diff) | |
| parent | 54af8dfbfc4122494235d817cd98b83874241215 (diff) | |
| download | rails-837f0ab5c8595609ec31cf885dbe04f0caa15ce0.tar.gz rails-837f0ab5c8595609ec31cf885dbe04f0caa15ce0.tar.bz2 rails-837f0ab5c8595609ec31cf885dbe04f0caa15ce0.zip | |
Merge branch 'master' of github.com:lifo/docrails
Diffstat (limited to 'railties/guides/source/getting_started.textile')
| -rw-r--r-- | railties/guides/source/getting_started.textile | 27 |
1 files changed, 5 insertions, 22 deletions
diff --git a/railties/guides/source/getting_started.textile b/railties/guides/source/getting_started.textile index 0661549644..1122a4b9e3 100644 --- a/railties/guides/source/getting_started.textile +++ b/railties/guides/source/getting_started.textile @@ -1201,33 +1201,16 @@ h3. Security If you were to publish your blog online, anybody would be able to add, edit and delete posts or delete comments. -Rails provides a very simple HTTP authentication system that will work nicely in this situation. First, we enable simple HTTP based authentication in our <tt>app/controllers/application_controller.rb</tt>: +Rails provides a very simple HTTP authentication system that will work nicely in this situation. -<ruby> -class ApplicationController < ActionController::Base - protect_from_forgery - - private - - def authenticate - authenticate_or_request_with_http_basic do |user_name, password| - user_name == 'admin' && password == 'password' - end - end - -end -</ruby> - -You can obviously change the username and password to whatever you want. We put this method inside of +ApplicationController+ so that it is available to all of our controllers. - -Then in the +PostsController+ we need to have a way to block access to the various actions if the person is not authenticated, here we can use the Rails <tt>before_filter</tt> method, which allows us to specify that Rails must run a method and only then allow access to the requested action if that method allows it. +In the +PostsController+ we need to have a way to block access to the various actions if the person is not authenticated, here we can use the Rails <tt>http_basic_authenticate_with</tt> method, allowing access to the requested action if that method allows it. -To use the before filter, we specify it at the top of our +PostsController+, in this case, we want the user to be authenticated on every action, except for +index+ and +show+, so we write that: +To use the authentication system, we specify it at the top of our +PostsController+, in this case, we want the user to be authenticated on every action, except for +index+ and +show+, so we write that: <ruby> class PostsController < ApplicationController - before_filter :authenticate, :except => [:index, :show] + http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index # GET /posts # GET /posts.xml @@ -1242,7 +1225,7 @@ We also only want to allow authenticated users to delete comments, so in the +Co <ruby> class CommentsController < ApplicationController - before_filter :authenticate, :only => :destroy + http_basic_authenticate_with :name => "dhh", :password => "secret", :only => :destroy def create @post = Post.find(params[:post_id]) |