- Read Tutorial
- Watch Guide Video
After I finished the last guide I realize that we have a little bit of a security vulnerability not so much in regards to us getting hacked or something like that because we have our important crud-based items protected. But we have an issue where our blogs could actually be accessed by search engines and by outside individuals. Even when they have been marked as being in draft mode. I'll show you right here and if you click on this link. I'm logged in as an admin user. If I pop this open in incognito mode where no users logged in. I can still access this page. Theoretically, a search engine or even someone who just somehow was sent this link would be able to access the page that is most likely not the behavior that you want for a draft. Let's see how we can update that. Coming into our show action(
blogs_controller.rb) we can see right here that we are creating a query and we're not doing anything to hide this from regular users. That's what we need to change. It's not too difficult to do that. I am going to simply say...
def show if logged_in?(:site_admin) || @blog.published? @blog = Blog.includes(:comments).friendly.find(params[:id]) @comment = Comment.new @page_title = @blog.title @seo_keywords = @blog.body else redirect_to blogs_path, notice: "You are not authorized to access this page" end end
if logged in and say site admin or if the blog is published and remember we have this published ? syntax coming from the Rails enum system so, because we have published as an enum item then we can ask a blog if it's published or not. Essentially this line is going to do it's good to say if the users logged in as a site admin let them come in to access the blog and the show page. Or if the blog is published let them come in. All we have to do now is redirect the user if either of those cases are not true. I can just say redirect_to and say blogs_path. Let's also give a notice so we can say notice: and say 'you are not authorized to access this page'. This should be all that we have to do. If I come back. If I hit refresh for a regular item when I'm logged in as an admin, everything still works. If I come here, you can see that now this redirects me to the blogs page and it says you are not authorized to access this page so that's exactly what we want. But now if I click on any of these items that are published then I can still access them. So this is the exact type of behavior that we're looking for. Let's come to pivotal tracker, click on
Hide draft post via show action for blogs. Let's see if there's anything else that we need to do related to that. For right now I think we are good. I know this is a shorter guide but a lot of these guides in this section are going to be shorter because I really want to give you a little bit of a break but also so that we can isolate each task and give it its own guide. So, I'm going to say
git status, git add
,git commit -m "implemented redirect for blog show page when non admin tries to access draft blog"
,git push orgin final-changes` and we're good to go. Now that we have that in place I'm feeling better about the security of our app. Now let's go and talk about our topics.