finished admin filter and write-up for issue #6

app/controllers/admin_controller.rb

@@ -1,5 +1,6 @@
 class AdminController < ApplicationController
   
+ # before_filter :administrative
   skip_before_filter :has_info
   
   def dashboard

app/controllers/application_controller.rb

@@ -18,13 +18,13 @@ class ApplicationController < ActionController::Base
   end
 
   def is_admin?
-    admin = current_user.admin if current_user 
+    current_user.admin if current_user 
   end
 
   def administrative
     if not is_admin?
      reset_session
-     redirect_to login_path 
+     redirect_to root_url
    end
   end
   

app/views/layouts/tutorial/url_access/_url_access_first.html.erb

@@ -16,7 +16,7 @@
           </div>
           <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+             Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.
             </div>
           </div>
         </div>
@@ -30,7 +30,17 @@
           </div>
           <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+              <p class="desc">
+				Rails provides the ability to apply before_filter(s) which run prior to rendering content to the user. This is helpful when restricting access to content based on the user's role. Currently, the methods to apply a before_filter already exist in the application controller but were forgotten when creating the administrative functionality. Notice an asbsence of the before_filter within app/controllers/admin_controller.rb
+	 		  </p>
+			  <pre class="ruby">
+				<%= %q{
+				class AdminController < ApplicationController
+				
+				  skip_before_filter :has_info
+				} %>
+			  </pre>	 
+	 
             </div>
           </div>
         </div>
@@ -44,7 +54,37 @@
           </div>
           <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+              <p><b>Failure to Restrict URL Access - ATTACK</b></p>
+			  <p class="desc">
+				Request the following URL /admin/1/dashboard and have fun :-)
+			  </p>	
+			  <p><b>Failure to Restrict URL Access - SOLUTION</b></p>
+			  <p class="desc">
+				The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb:
+			  </p>
+			  <pre class="ruby">
+				helper_method :current_user, <span style="background-color:yellow">:is_admin?</span>
+				
+				def is_admin?
+			    	current_user.admin if current_user 
+			  	end
+			
+			  	def administrative
+			  	  if not is_admin?
+			  	   reset_session
+			  	   redirect_to root_url
+			  	 end
+			  	end
+			  </pre>	
+			  <p>
+				Then add the following line within app/controllers/admin_controller.rb
+			  </p>	
+			  <pre class="ruby">
+				class AdminController < ApplicationController
+
+				  <span style="background-color:yellow">before_filter :administrative</span>
+				  skip_before_filter :has_info
+			  </pre>	
             </div>
           </div>
         </div>
@@ -58,7 +98,7 @@
           </div>
           <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+              I bet there is some admin functionality in here :-)
             </div>
           </div>
         </div>