When should web_method do the permission check?
Reported by James Garlick | August 2nd, 2008 @ 09:42 PM | in Beyond Hobo 1.0
Should web_method raise Hobo::Model::PermissionDeniedError when used with a block? I think not since if you pass a block you are doing your own thing and there's no need for the method to actually even exist on the model object.
Comments and changes to this ticket
-
Tom Locke August 3rd, 2008 @ 10:46 AM
- Title changed from “permission denied on web_method” to “When should web_method do the permission check?”
- State changed from “new” to “open”
- Tag changed from “question” to “model-controller, question, web-method”
- Milestone set to “Hobo 1.0 - Final”
It was designed this way deliberately so that security is built in, rather than something you have to remember.
Having said that we should probably bring it into line with the other hobo actions, e.g. this would be the long way to do it (and this would give you the permission check).
web_method :foo def foo hobo_web_method :foo do # permission check done, now call the method @this.foo end endThen the block form could be a shorthand for the above, e.g.
web_method :foo do @this.foo endThat way if you didn't want the permission check, you could use the def form and not call hobo_web_method.
We could provide the same semantics for show_action and index_action.
-
Tom Locke March 12th, 2009 @ 01:41 PM
- Milestone changed from “Hobo 1.0 - Final” to “Beyond Hobo 1.0”
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
James Garlick
Tom Locke