How to restrict access to editor?

[cannikin]

I'm trying to figure out how I can limit access to the editor if the user is not logged into my app. I tried adding constraints around the engine routes but it doesn't seem to do anything (going to /editor/page still works fine). Here's my app's routes.rb:

class EditorRestrictor
  def self.matches?(request)
    false
  end
end

constraints EditorRestrictor do
  Mercury::Engine.routes
end

Any suggestions?

[jejacks0n]

I first started playing with a routing constraint, but what will you be looking for in the contraint exactly? a cookie or something? If so, that's not very secure.

I think one of the easiest ways to do this is to pull the mercury controller out of the gem into your app.. then you can put a before_filter that properly checks a user session with permissions to access the actions exists.

Anybody have a nice pattern that I could put in the gem that would cover this sort of need?

[jejacks0n]

This information is pulled straight from the comments on the Mercury Editor Railscast, originally posted by tbarho

In your routes file (before the mercury routes are included) add:

match '/editor(/*requested_uri)' => 'mercury_auth#edit', :as => :mercury_editor

Then create a new controller in your project, that inherits from MercuryController:

class MercuryAuthController < MercuryController
  include SessionsHelper

  before_filter :authenticate_with_admin, :only => [:edit]

  def edit
    render :text => '', :layout => 'mercury'
  end
end

You also probably want to do things like this for your save route etc.