I find a common issue in my RESTful Rails apps controllers that respond to multiple formats (HTML, XML, etc). The issue is that, for any given method (INDEX, CREATE, NEW, EDIT, SHOW, UPDATE, or DESTROY) I want to restrict access to admin users for 1 format, but not others. Of course I already have a “before_filter :admin_required” for this, but it is useless unless all formats for a given method adhere to the same permissions (which, many times, is not the case). I end up just having to open up the entire method and then add a “head :bad_request unless current_user.is_admin” to any of the formats that need protecting. This works, but for some reason feels wrong to me. It seems like I should be able to add a format parameter on the before_filter somehow, so as to keep things tidy. How do you guys do it and why?

UPDATED QUESTION:

I think people are not fully understanding my situation, so let me try to re-explain. First of all, just know that this already works for me and is secure and I have no problems with it. So basically, I have decided that HTML pages will only be for admins to create/update/edit/delete objects. The normal users will ONLY interact with the app via XML thru a flash interface. What this means is that there are essentially 2 different paths of execution (each with their own distinct code/logic etc.) for each action. So when the request comes in, the format dictates which path is taken. There are checks in each to make sure that no malicious requests are allowed, and a head :bad_request is returned in these cases. There is no way to “craft an XML request outside of flash” and somehow make the app do something that it otherwise shouldn’t. The app could care less if the XML request came from Flash or not. It does not matter one bit. The only thing that matters is whether or not the request is valid based on the credentials of the user and attributes posted – not where it came from. Anyways, this all works great, the only downside is that a lot of my actions that would normally just have a “before_filter :admin_required” can’t use that anymore. They need to be opened up to everyone essentially, and then I have to manually do a “head :bad_request unless current_user.is_admin” on certain action/format combination’s that require it. I was just hoping that I could have more fine-grained control over the filters in the controllers so that I could do something like “before_filter :admin_required, :format => html“