h2. Setup the abstract controller In @application.rb@:

class ApplicationController < ActionController::Base
  before_filter :authorize
  
  protected
    # Override in controller classes that should require authentication
    def secure?
      false
    end
 
  private
    def authorize
      if secure? && @session["person"].nil?
        @session["return_to"] = @request.request_uri
        redirect_to :controller => "auth"
        return false
      end
    end
end

h2. Define @#secure?@ per controller h3. Completely secure controller example

class WeblogController < ApplicationController
  def index
    # show secret stuff
  end

  protected
    def secure?
      true
    end
end

h3. Partly secure controller example

class SignupController < ApplicationController
  def index
    # show public stuff
  end

  def settings
    # show secret stuff
  end

  protected
    def secure?
      action_name == "settings"
    end
end

h4. variation Multiple protected pages, but not fully protected controllers.

...
protected
def secure?
     ["onesecretpage", "secondsecretpage"].include?(action_name)
end
...

h2. Variation: Regex for secure actions One thing I do is define a class variable regex in my controllers that dictates which methods are available

@@public = /blah|blah/

then my global authentication only requires authentication if action_name =~ @@public In @application.rb@:

@@private = // # default to nothing private
protected
def secure?
     action_name =~ @@private
end

Then redifine the regexp per controller:

@@private = /user.*$/ # require login for all user* methods

Comment: i love this idea, but it sucks to add this after the fact because you have to rename, actions, rhtml files, and all the links - i wish there was something that combined both.

See also: LoginGeneratorAccessControlList Comment: This page was great, and well writen, thank you so much.