-
watch on iTunes
-
follow on Twitter
-
follow on Facebook
-
subscribe to RSS feed
watch on iTunes
follow on Twitter
follow on Facebook
subscribe to RSS feed
It's suprising how many devs (noobs?) don't know what are or how to use bitmasks. It's a very common technique to store status flags.
I've got UG...
Just kidding, thanks a lot Ryan! Keep up the great work.
Thanks
Ben
@kikiki, http://github.com/cldwalker/hirb
Thanks a lot Ryan!
I've been using serialize lately and searching for matching records was such a pain :)
I liked this one, specially the collection_select on the single-role part.
It is worth pointing out that declarative_authorization allows roles to "inherit" from other roles, so if you are using it there's a chance you can just have one role per user.
Thx @ ryan for showing us other ways to get things done.
BUT in my opinion there is another big risk in your last approach when you are using the role_mask approach:
What if you want to remove a role from your system? you can remove the definition from authorization_rules.rb, but when you remove the name from the array, then users assigned to the "old" role, will get assigned to the next role, which may be not allowed for them.
Additional: what about active and inactive roles? normal users may subscribe to "admin" but they should not be allowed to.
The working solution for me:
I've choosen to store roles inside the db: roles and role_assignments where role_assignments has an "active" field which has to be set by another action only allowed by admins. it is very easy to modify the code from the last railscast to use only active_roles (association) inside the user model. Having your roles and assignments inside the db, this enables you to add and remove roles easily as you only have to modify config/authorization_rules.rb to enable them (you do NOT have to change anything else in your code).
there is many more you can do: foreign_key constraints, ...
to enforce your strategy.
AND don't forget to write tests ^^
so thx 4 the tutorial on how different one problem can be "solved" and keep gooing ^^
Great one, thanks a lot!
Awesome been looking forward to this one!
Thanks for post.
By the way, How can be the script/console result shown like Mysql command line result?(grid like)
Is that a kind of plug-in?
@ryan, I think the spammer is just playing with you at this point. You may want to consider blocking IPs.
On a related note, very excited about CanCan, will be giving it a trial run in one of my apps very soon.
@Houcine:
I simply used The following code as my partial, in place of in your case @product.name (as you put it :name) I used inventory.item and inventory.part_number
I saved this file as _inventory.html.erb in my app/views/inventories folder.
I didn't adjust either (searches or inventories controller)
For those with experience using partials is this a good way of working with these files? also how did you deal with displaying "no results found?"
-------
<p>
<strong>Record:</strong> <%= link_to "#{inventory.item}", inventory %>
</p>
<p>
<strong>Part Number:</strong>
<%=h inventory.part_number %>
</p>
<p>
</p>
@Ryan, your sense of humor gets me every time.
Don't use justinfrench-formtastic, that's too old. Use formtastic from gemcutter.
Anyone else tried the Wicked pdf plugin yet? Looks perfect and simply uses your view html/css http://github.com/mileszs/wicked_pdf
Awesome cast again! thanks!
Another excellent screencast. Thanks, Ryan.
Tarantula can help here as well.
http://github.com/relevance/tarantula
As you know, many errors like this can be caught just by clicking through the site and inputting both valid and invalid data on every form. But none of us want to do that manually, since it's both a bore and a huge chore. However, Tarantula will happily do the job for you. "Tarantula is a big fuzzy spider. It crawls your Rails application, fuzzing data to see what breaks."
Tarantula will crawl your entire app, and report any 500s or 404s it encounters. It only takes a few minutes to add it to your Rails app. And if you're not already using it, I'll bet it will find at least one issue you didn't know about. And then you can fix it *before* it affects one of your users!
Using Tarantula is not an excuse to avoid writing good integration tests, but it is another valuable tool in your toolbox.
@Kieran, the question only shows up if the comment looks like spam. As long as you aren't grunting like a caveman (ugg, ugg) then you should be fine.
YaY! Spam is gone. I see from the Github repo that you implemented a question based spam captcha. But I'm not seeing it appear here... site needs an update?
Hope the new spam system works! :)
Guys having problem with libtidy.dilyb:
http://exceptionz.wordpress.com/2009/11/03/scrapi-on-snow-leopard/
great tutorial from the great plugin, very nice, thanks for 2 great episode about formtastic. but i got a problem when i use paperclip, attr_accessible can't be used, because paperclip use attr_protected. whould you like to tell me about this situation ?, or give me a link about attr_protected to read ?. sorry my english is bad...
Anyone know if this feature can be used for relational objects?
a has_many b
a.b_ids.changed?
Used Declarative Authorization and Authlogic in a project together, it added some really cool advantages.
Hi Ryan,
I got this error
undefined method `reflect_on_association' for NilClass:Class
on my application helper, AFAIK reflect_on_association is Rails method, please help
thanks
A
How to use git in eclipse
Thank you for your work!
Ryan,
A couple of thoughts/temporary fixes on the spam issue.
1. If enough users click on "Report as Spam" for a message, hide the detail of the message. Put a "Flagged as Spam" message and an "Unhide" link - that way, you can scroll through the comments quicker.
2. Assign basic moderator functionality and assign a handful of trusted readers to remove the spam.
3. Implement the keyword blacklist that others have suggested. If a few valid comments don't make it through, it isn't that big a deal. It's not like we're sending an innocent man to jail.
Can this technique be combined with the dynamic list that you presented in #73? I would like to be able to add elements and sort them during creation and edit.
Hi! I'm having this problem: i have, in my user table, a boolean column named "admin"..in my user.rb i wrote:
def role_symbol
[:admin] if admin?
end
and in my authorization_rules i have:
role :admin do
has_permission_on [:artists, :albums, :events, :neews], :to => [:index, :show, :new, :create, :edit, :update, :destroy]
end
the problem is that when i login as an admin user(which has admin = true) i can't reach any model which has "filter_resource_access" in its controller, i see the "You are not allowed to access this action." page...why?
Thanks a lot!
@Jochen Kempf:
Your approach to putting access control on non-action based content in intriguing, but I cannot understand your explanation well enough to implement it. Where can I go to see this in more detail?
For example, where do you put the content to be controlled? Is it hard-coded in the view? And is the dummy controller completely empty?
Trying to recreate this with HAML but can't get it to work can you give me the basic form?
As a viewer from the beginning (or very close) I second the idea of registering to be able to comment or something like that. A passcode at the end of the cast might work, too. For whatever reason reCaptcha isn't working at all.
Another try with just one word of the recaptcha
Cool cast, I build my on plugin for this, much more client oriented, but this still is cool.
(I'm submitting this comment to see if the recaptcha is really working)
What is it all about?
Pretty good & very useful thought for SAS model applications.
Hey Ryan, would you care to share the textmate magic that you use to align the table?
I have a solution for the spam. Since most of us know at least a bit about rails (otherwise we wouldn't give a rat's ... about the Railscasts), as a simple question in addition to Captcha for example:
Fill in the blank:
validates_xxxxx_of :firstname, :lastname
or something more funny (and political LOL):
validates_xxxxx_xxx :smartpresidents, :in => "George W. Bush"
What here for clause? It is A lot of spam.
Is there a way to handle dynamics RBAC / allow admin users to handle RBAC instead of such hardcode ?
Why not say a codeword at the end of the railscast that is needed to post a comment for it? Or some obfuscated ruby code to display a password? That might discourage the spammer...
Thanks Ryan, I use ACL9 gem, and I know there are probably like 100's of ways to go about authorization. Excellent screen cast as usual.
how do i dynamic change the role in this program?
It looks like that I need to revise manually. I can not revise it online.
Nice episode once again! Thanks a lot!
Sven Fuchs and I have written a really generic (and therefore powerful and not quite easy to use) RBAC implementation. You can find it here: http://github.com/svenfuchs/rbac
We use it in adva-cms (http://github.com/svenfuchs/adva_cms - http://adva-cms.org), so you can check the implementation there if you want to.
I do love the typo "Authologic" in the show notes. Looking forward to watching the episode tomorrow. Keep up the good work, Ryan!
Nice solution! But if I don't want to hard code the acl, what's the alternatives for storing everything in the database? I think it would be more flexible to be able to create permissions on the fly and then assign them to user groups perhaps.
It's me or the iPhone/iPod version has some artifacts and a couple times the screen gets freeze...
Except for this ;-) I think you're doing an amazing job. Thank you.
I really like this declarative approach!
For those who need to control non-action related content and keep the declarative approach - this is what works perfectly for me:
- Create a dummy action in the controller (e.g. "admin", "no_admin")
- define the corresponding role-based rules
- and use the Authorization view_helper (e.g "if permitted_to? :admin, :articles) in the view
The benefit is that you don't have to update your views when adding roles.