-
watch on iTunes
-
follow on Twitter
-
follow on Facebook
-
subscribe to RSS feed
watch on iTunes
follow on Twitter
follow on Facebook
subscribe to RSS feed
Thanks for all your work, Ryan. These are great, and your time and effort are much appreciated.
I'm sorry you've gotten hammered by the comment spammers. Really sucks that you have to deal with that. Wish I could help!
Ryan - excellent, useful information this week. I've been a satisfied user of your nifty_authentication generator. For a tiny app I'm doing at work, I'd like the staff to be able to do just about anything except create a new user - I'd like only an admin to be able to do that. I've been trying to figure out how to do roles with nifty_authentication since for this project even something as straightforward as authlogic is more complexity than I need. So here's my encouragement for an rbates authorization solution that's just a LITTLE more full featured than nifty_authentication!
Thank you so much, great screencast.
I've been using this for awhile, it's a wonderful plugin, and Steffan is always in the google forums helping out users.
I was wondering when you would do a screen cast about this wonderful gem!
Thanks for all you do, you're always saving me time, and showing me something new!
I'm a user (and guys at my company aswell) of base_auth, a pretty simple yet powerful authorization plugin. I think you could do a Railscast on that one too, now that you've touched the topic of authorization.
http://blog.aenima.pl/2008/12/8/base-auth-a-complete-tutorial-to-securing-your-rails-application
Great 'cast by the way, keep up the good work!
What is missing from this gem to tempt you to write your own role authorization plugin (according to your tweet)?
Authorization plugins are a hard find. Some have barely any features, some are overly complex. One issue I'd like to point out is if someone is not authorized, it should throw perhaps a 401
You have a typo in the links. It says "Authologic" but should be "Authlogic".
looks pretty nice, fyi there's shorthand for the :to parameter so you don't have to explicitly state every approved action.
Such as :to => :manage or :to => :all
We use this kind of approach from quite some time here at Lipsiasoft with our admin, Lipsiadmin.
Check it out.
http://www.lipsiadmin.com/
I like the Aegis plugin (http://github.com/makandra/aegis).
It has a lot less magic than the declarative auth plugin, but it's straightforward and clean.
Hey Ryan, great work,
However I wonder how to go about doing a role based management with accounts (subdomains). So if some user has manage access in account 1 and guest access in account 2. How would you go about setting that up in declarative_authorization?
Thanks again,
Andrew
@Walter
filter_access_to does not auto-load these objects, filter_resource_access is a newer feature of DA
check the README
This is rather timely as I've been redoing some role based permissioning stuff lately. I may have to get dirty with this. Thanks Ryan.
On a side note: The ugg spam is getting a little absurd. It's obviously some jerk doing it manually. I wonder if a banned word list would help.
@ARTSIOM
"include Authentication"
is for AuthLogic
@kikito
<% if permitted_to? :create, Article.new %>
instead, you can do just this:
<% if permitted_to? :create, :articles %>
that is not always the correct behavior, Article.new allows for if_attribute checks - :articles inhibits this feature
You just made my day :)
When you delete
@article = Article.find(params[:id]) and @article =Article.new... from the ArticlesController. You say it is now handled by the filter_resource_access before filter.
Where is this implemented? What happens if my controller differs and I need something other then .find(params[:id]) for instance when using pagination? Can we use a different before filter?
As Ryan mentioned earlier, this could be a human spammer. Maybe time for blocking some ip.
anyway great cast Ryan
I think it's our responsibility to take the time to report the spam. The problem is that the ahole that is doing this knows that there is a flood of activity every monday morning so he's probably adding the spam manually.
>Sadly reCAPTCHA seems to not keep em away.
Maybe we could give a try for negative captcha? I use it on many sites and it's seems to work better than classic captchas.. and without people harassment.
Sadly reCAPTCHA seems to not keep em away.
Hi and thank you for these very good screencasts.
I wonder if an other possible way could be check if form was submitted from the same server ip as the development server.
So a curl from outside would not be possible.
can someone please explaine, what this line do in ApplicationController:
include Authentication
Hi, nice screencast!
Do you happen to know if the formtastic handles acts_as_tree plugin in association has_many :through? For example: I want to have check_boxes in the form like as tree structure..(Like categories and subcategories in eshop).
Thank you,
H.
@92 John McLeod
To get rid of the Deprecation Warning, I think you need do this:
Change THIS
:url => formatted_..._path(:js) ..
to THIS
:url => ... _path(:format => :js) ..
(FYI I'm running Rails 2.3.4)
Ryan - Superb Web resource you've got here! Well Done - My first port of call when I get stuck developing my Apps. Keep up the good work :-)
Awesome Ryan, thanks again for your amazing screencasts. I'm going to implement this in my app today.
I'm making a PayPal donation, please keep the episodes coming.
Hi Ryan,
There's no need to create an article on this line:
<% if permitted_to? :create, Article.new %>
instead, you can do just this:
<% if permitted_to? :create, :articles %>
Appart from that, great stuff!
Wonderful stuff.
Wonderful gem.
Wonderful railscast.
Wonferful you !
Thanks again Ryan !
We use easy_roles at platform45, for simple role based authorization.
Its more of a light weight solution, and has basic usage, not comparable to declarative authorization.
I think it's worth checking out tho!
http://github.com/platform45/easy_roles
was waiting for this ;)
I followed it step by step and when in the minute 6, when I click on "submit" button I receive this error:
undefined local variable or method `persistence_token' for #<User:0x104203500>
What is wrong? :S
thx ryan,
great cast - as usual!
lots of your security issues might easily solved via rack-apps.
just have a look at http://coderack.org/
e.g. http://coderack.org/users/J-_-L/entries/80-racknotags is deleting all "<" and ">" tag elements - and you can use it for every app/framework you use!!
Hi guys,
I'm a newbie.
I get the following error when I reload the form after installing paperclip:
NoMethodError (undefined method `has_attached_file' for #<Class:0xb7ae3140>):
app/models/product.rb:4
app/controllers/products_controller.rb:3:in `index'
Please help.
Thanks, Ryan! Great 'cast!
Another way to prevent all rake tasks from blowing up in environments without some gems (but where the tasks won't ever run) is to put the require statements inside of the tasks that use the gems. We do this and it's cleaner (I think) than a begin/rescue/end block at the top of the file.
Thanks for the great screencast again!
About the annoying Spam-Problem:
Please try using Akismet.
http://akismet.com/
It works great on thousands of WordPress sites. Without any annoying captcha.
http://github.com/jfrench/rakismet might be a place to start (not used yet).
Regards
I'm on rails 2.3.4 and content_for doesn't simply work when called within a partial..
Hey i was working on an application where i need to search on the content of the file.
So is there a way in rails to index the content of the files stored on the local filesystem.
Checkout my solution that neads no JavaScript code writing, and requires fever lines of code: http://programmers-blog.com/2009/11/12/dependant-dropdowns-select-menus-using-rails
Thank you so much for this series! It helped me out an incredible amount. This saved me days of researching and learning. Thank you! :)
How about making it so after x number of people report a comment as spam, it automatically gets hidden. Then you can permanently delete it later if you wish or unhide it if it really isn't spam.
Correcting myself (comment #37):
when no exception is raised (hopefully most of the time) the code calls #backtrace on a nil object. Here a corrected version:
http://pastie.org/693810
Giacomo
Thanks for all your screencasts, greet work.
If you want to access the exception inside your test you can write:
@response.template.instance_variable_get(:@exception)
(Look at the source code for "assert_response" inside ActionPack.)
Since the assertion accept a message as second parameter you can pass the backtrace there:
assert_response :success,
@response.template.
instance_variable_get(:@exception).
backtrace.join("\n")
or put it in a method to cleanup the backtrace, ecc.
Thanks again.
Giacomo
Thank you very much! Helped me a lot.
I wanted to note that in the iTunes podcast feed, both this episode and the previous one (#187, #186) generate errors when trying to sync with my iPhone. No other Railscast on that feed does. It's the standard "wrong format" message.
http://railsforum.com/viewtopic.php?pid=111950#p111950
would live some help on this man
redirecting problems
in sessions controller
if wrong password, what do I do here?
tried this :
else
class SessionsController < ApplicationController
def create
session[:password] = params[:password]
flash[:notice] = 'Successfully logged in'
redirect_to :controller => 'home', :action => 'index'
else
authorise
redirect_to login_path
end
def destroy
reset_session
flash[:notice] = 'Successfully logged out'
redirect_to login_path
end
end
Please disregard my earlier emails. I finally got it working.
Thanks
A bit of a folo-up to my email of 11/8/09...
I found the show form would execute its' select correctly and the select syntax for the partial seems to be correct when tested against the prospects table. Unfortunately I still get:
You have a nil object when you didn't expect it!
You might have expected an instance of Array.
The error occurred while evaluating nil.each
Extracted source (around line #23):
20: <th>Entry</th>
21: </tr>
22:
23: <% for prospect in @prospects %>
24: <tr class="<%= cycle('list-line-odd', 'list-line-even') %>">
25: <td class="list-description">
26: <td><%=h prospect.id %></td>
Suggestions would be very much appreciated.
Josh or Ryan,
Can you PLEASE post a tutorial using google4r-checkout? Thanks!
- Jane
This tutorial is great and ive got it 90% working with my app. everything is happening except the Delete part.
The Javascript works up to where it hides the Task input box but it doesnt set the should_destroy value ... if i inspect the Params, its always null..
any ideas?
Excellent screencast, although nothing of this is new to me :)
One thing I was wondering is why you made integration tests; they seem to be functional tests to me. And, as Matthew Savage said, I think you can get the full trace by running 'rake test:integration --trace'.