:except not working in before_filter in application controller. Routing problem?

Question

I have a before_filter in my application controller to keep a user's session alive (and log them out if a time out has been reached). This should be called on every action except /sessions/new and /sessions/destroy which are routed as /login and /logout.

The relevant parts of my application controller look like this;

class ApplicationController < ActionController::Base
  before_filter :update_activity_time, :except => [:login, :logout]

  private

  def update_activity_time
    if current_user
      time_out = current_user.setting.remember_me ? 20160 : current_user.setting.user_timeout
      from_now = time_out.minutes.from_now
    end
    if session[:expires_at].blank?
      session[:expires_at] = from_now
    else
      time_left = (session[:expires_at].utc - Time.now.utc).to_i
      if time_left <= 0
        session_expiry
      else
        session[:expires_at] = from_now
      end
    end
  end

  def session_expiry
    reset_session
    flash[:notice] = 'Your session has expired. Please log back in.'
    unless request.xhr?
      session[:return_to] = request.request_uri
      redirect_to login_url
    else
      session[:return_to] = request.referer
      render :js => "window.location.replace(\"#{login_url}\")"
    end
  end

end

and my routes.rb contains the following;

map.login "login", :controller => "sessions", :action => "new"

map.logout "logout", :controller => "sessions", :action => "destroy"

The before_filter is being called when /login or /logout are being visited. This isn't a show-stopper but it does cause a few odd behaviours (e.g. when logging out from a page that has timed out).

Any ideas what I'm doing wrong? I'm using Rails 2.3.10.

Answer 1

The :except option takes action names, not url parts. Here's what you should do instead:

class ApplicationController < ActionController::Base
  before_filter :update_activity_time
  ...
end

Then, in sessions_controller.rb:

class SessionsController < ApplicationController
  skip_before_filter :update_activity_time, :only => [:new, :destroy]
  ...
end

You don't want to put the :except in ApplicationController because, if you did, the new and destroy actions for every one of your app's controllers wouldn't update the activity time.