RailsCasts Pro episodes are now free!
Learn more or hide this
Doesn't the before_filter need to return true in the other case in order to normally proceed the request?
Good question. It's not necessary because it continues as normal if it returns nil (which it will if the condition isn't met). The only time it stops is if it returns false.
flash[:error] does not work unless it is matched in the view layout, just in case anyone has issues getting the error message to show
I follow the tutorial but i can login even i type wrong password.
How to fix?
Hi i added the
<% admin? %>
<% end % >
it works great but when i combine it with the super simple authentication then the "must hidden" is not hidden.
hi, i already fix my error.. sorry i didn't see the "==" in the password for the password is equals equals.
now its working and my next step is to connect ito database when i have users table.
i was just wondering if you have idea where i can get a dummy's guide for different levels of authorisation.
like some people will be able to CRUD,
some write only, some read only.
i'm very new to RoR sadly
thanks in advance!
I'd add a string "level" column to each user. In that you could save for e.g "Writer", "Reader", "Editor", "Admin", and others you need. Then when you just need to add some controls as you do for the admin area. For e.g.
<show form to write>
and the writer? method would be like this:
current_user.level == "Writer"
Be aware of the level, if the user can choose her level pay attention she don't select the Admin level.
I still have not resolved that question in my mind... if someones accesses a URL they should not, is redirecting the correct action?
I mean, it indicates your application will respond again and again to it.
On one project I did I simply determined to return a 404 (not found) when a protected resource was accessed. Indicating to the client they should not come back to that URI.
You got your thoughts on this dilemma?
@Jean, I think returning 404 is an excellent solution, especially if you have a User model setup. You can then fetch resources through the user model and rails will handle the 404 automatically for you. For example, let's say a User has many Projects and you only want the user to have access to his own project. In the controller show action you can do this:
This way the user can only fetch the project he owns. If he doesn't own it, he will receive a 404.
@Jean and Ryan,
Strictly speaking, you _really_ should be returning a 403 in those cases. There *is* as a resource there, it's just forbidden to that user (or role, or what have you).
The simple way to do this is Rails is:
Nick Kallen has shown a nice pattern for doing this type of thing consistently across your app, using Rails' rescue_action method.
In reality you might want to override rescue_action_in_public instead -- check the API docs to get more of an idea of how these methods work, like how to make sure you can still render a custom error file.
Thanks for all the great Railscasts, Ryan.
I added logged_in? to admin? to stop nil object errors...
logged_in? && current_user.login == "admin"
I keep getting a major loop happening between the before_filter in my root controller...and the app controller authorize function, because if the filter chain is halted due to the admin not being logged in, the redirect is back to my root controller, which then calls the authorize function from the before filter...thus creating a loop...
so to remedy...this, from authorize
I redirect to the /sessions/new which is fine...but now every route /url is redirected there ... even though I have an :except in my before filter
fixed...sorry for the spam
before_filter :my_authenticate , :except => [:index, :show]
As always, your webcasts are exceptional. They've helped me out tremendously in all the Rails applications I've been working on.
Quick question... have you ever done any role-based access control? If so, maybe this could be a topic for one of your future webcasts?!
Will this still work for Rails 2.0 or is there a better way of doing it now?
Whats the bet way to handle roles now wuld you use http://www.writertopia.com/developers/authorization ?
I understand how to implement roles on the entire site, but how would you break this down even further, to an account level for example?
I have an application that hold accounts. Each account can have multiple users with multiple roles and each user could belong to multiple accounts, again, with differing roles. An editor of one account may be the owner of another, for example.
I'm struggling to see how I can check to see if the currently logged in user is in a particular role for the account that they are trying to access.
So far I have tried using a Privileges table that holds a user_id, role_id and account_id, but I can't find a way to find out if the current user within the current account belongs to a certain role.
Confused and probably making it worse for myself...
Thanks for the great post.
With the default session store (cookies) the password will be stored in clear text on your pc.
It's worth looking at these links if you're concerned about how secure your login process is (you should be).
i'm new on ruby on rails
i have user and book model
user model contains login actions when i wrote this to the application controller
current_user.user_name == "Writer"
i'm having an error message
--undefined local variable or method `current_user' for #<BookController:0x77131b0>
why i'm having this message?
how to fix
i have user and book model
Great screencast series. This is exactly what I'm looking for. Sadly it doesn't work for Rails 3.2. Helper method's seem to have changed in Rails 3. Any tips?
I don't want to use any gem for authorization
so can you please help me out to use this particular authorization technique when we have multiple roles for the user.
I want to use it on rails 4
Antivirus Support -Contact for assistance on Antivirus, Internet Security, and security software. Make your computer secure and virus free.