Home arrow Ruby-on-Rails arrow Page 4 - Security for a Rails Ecommerce Application

Security for a Rails Ecommerce Application

We've been building an ecommerce application for an online bookstore. Now we've reached one of the most important stages in the application's design: building in the security to prevent malicious hackers from wreaking havoc. This four-part series shows you how to protect your application. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 2
June 14, 2010
  1. · Security for a Rails Ecommerce Application
  2. · Using the Authentication Plugin
  3. · Implementing the Log In User Story
  4. · Adding the Filter

print this article

Security for a Rails Ecommerce Application - Adding the Filter
(Page 4 of 4 )

In Chapter 5, we hinted that filters would be a good fit for implementing authentication functionality in Rails, and that is exactly whatacts_as_authenticateddoes (or, to be precise, makes us do). TheAuthenticatedSystemmodule (which is now included in all our controllers, remember?) implements a function calledlogin_required, which is the workhorse of the whole plugin. If it’s called as abefore_filterinside a controller, a login check is done before any action in that controller is let loose:

class SomeController < ApplicationController
  before_filter :login_required

  def first_action
    # this action is now only available for logged in users

As you might remember from Chapter 5, you can restrict the filter to certain actions by using the:onlyand:exceptparameters in thebefore_filtercall:

before_filter :login_required, :only => :secret_action before_filter :login_required, :except => [:index, :rss]

In our case, we want to protect all controllers in theapp/controllers/admindirectory. This is most easily done by creating a common parent class for them:

$ script/generate controller 'admin/base'

Next, we’ll put the filter macro in the newly createdapp/controllers/admin/base_controller.rbfile:

class Admin::BaseController < ApplicationController
before_filter :login_required

Now we need to make the actual admin controllers inherit fromAdmin::BaseController. Make the following change in all controller files (for authors, books, and publishers) inapp/controllers/admin, except the one we just created:

class Admin::AuthorController < Admin::BaseController

Note that the classes are still descendants ofApplicationControllerbecauseAdmin::BaseControllerinherits it.

If you now run the integration test file again, you’ll see that the protection works as it should:

$ ruby test/integration/authentication_test.rb

--------------------------------------------Loaded suite test/integration/authentication_test Started
Finished in 0.20896 seconds.

1 tests, 3 assertions, 0 failures, 0 errors

Please check back for the second part of this article.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

blog comments powered by Disqus

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials