-
Notifications
You must be signed in to change notification settings - Fork 56
admin_data security configuration for a Rails3 application
Put all your security configuration information at ~/config/initializers/admin_data.rb .
Default security configuration is to allow both view and update access in development mode and restrict both view and update access in any other environment. The default security configuration looks like this
AdminData.config do |config|
config.is_allowed_to_view = lambda {|controller| return true if Rails.env.development? }
config.is_allowed_to_update = lambda {|controller| return true if Rails.env.development? }
end
By default in production environment no one will be able to view anything. It is upto you to configure your settings for production environment. Here is an example of configuration I use in one of my projects.
AdminData.config do |config|
config.is_allowed_to_view = lambda {|controller| controller.send('logged_in?') }
config.is_allowed_to_update = lambda {|controller| controller.send('admin_logged_in?') }
end
In the above case application_controller.rb must have methods logged_in? and admin_logged_in? .
As you can see controller is provided as argument to proc so you can invoke any method on controller to decide if the user should have access or not.
admin_data provides RSS feed for all models. RSS feed can only be consumed if you are properly authenticated. admin_data uses http basic authentication mechanism to authenticate requests for RSS feed. Given below is how you can provider userid and password against to check for authentication.
AdminData.config do |config|
config.feed_authentication_user_id = 'admin_data'
config.feed_authentication_password = 'welcome'
end
The url to access RSS feed for model user would be http://localhost:3000/admin_data/feed/user . In this link substitute user with the model you want to track.
Don't worry by default in non-development environment no one can access this information unless you have configured userid and password and then while retrieving the feed the same userid and password must be supplied.