RailsCasts Pro episodes are now free!

Learn more or hide this

Restricting Access

#20 Restricting Access

Apr 18, 2007 | 4 minutes | Security, Administration
In this second part of the series on administration, you will learn how to lock down the site to keep the public from accessing the administration features.
Click to Play Video ▶
  • Download:
  • mp4Full Size H.264 Video (9.4 MB)
  • m4vSmaller H.264 Video (5.82 MB)
  • webmFull Size VP8 Video (14.7 MB)
  • ogvFull Size Theora Video (11.9 MB)
Avatar
Maledictus over 17 years ago

Doesn't the before_filter need to return true in the other case in order to normally proceed the request?

Avatar
Ryan Bates over 17 years ago

Good question. It's not necessary because it continues as normal if it returns nil (which it will if the condition isn't met). The only time it stops is if it returns false.

Avatar
Jack Wall over 17 years ago

flash[:error] does not work unless it is matched in the view layout, just in case anyone has issues getting the error message to show

Avatar
Brian over 17 years ago

I follow the tutorial but i can login even i type wrong password.

How to fix?

Avatar
Brian over 17 years ago

Hi i added the

<% admin? %>

<% end % >
it works great but when i combine it with the super simple authentication then the "must hidden" is not hidden.

any idea?

thanks

Avatar
Brian over 17 years ago

@ryan bates

hi, i already fix my error.. sorry i didn't see the "==" in the password for the password is equals equals.

now its working and my next step is to connect ito database when i have users table.

Thanks =)

Avatar
jocelyn almost 17 years ago

hi ryan,

i was just wondering if you have idea where i can get a dummy's guide for different levels of authorisation.

like some people will be able to CRUD,
some write only, some read only.

i'm very new to RoR sadly

thanks in advance!

Avatar
cover almost 17 years ago

@jocelyn

I'd add a string "level" column to each user. In that you could save for e.g "Writer", "Reader", "Editor", "Admin", and others you need. Then when you just need to add some controls as you do for the admin area. For e.g.
if current_user.writer?
  <show form to write>
end

and the writer? method would be like this:
def writer?
  current_user.level == "Writer"
end

Be aware of the level, if the user can choose her level pay attention she don't select the Admin level.

Avatar
Jean-Marc almost 17 years ago

I still have not resolved that question in my mind... if someones accesses a URL they should not, is redirecting the correct action?

I mean, it indicates your application will respond again and again to it.

On one project I did I simply determined to return a 404 (not found) when a protected resource was accessed. Indicating to the client they should not come back to that URI.

You got your thoughts on this dilemma?

Avatar
Ryan Bates almost 17 years ago

@Jean, I think returning 404 is an excellent solution, especially if you have a User model setup. You can then fetch resources through the user model and rails will handle the 404 automatically for you. For example, let's say a User has many Projects and you only want the user to have access to his own project. In the controller show action you can do this:

current_user.projects.find(params[:id])

This way the user can only fetch the project he owns. If he doesn't own it, he will receive a 404.

Avatar
Ches Martin over 16 years ago

@Jean and Ryan,

Strictly speaking, you _really_ should be returning a 403 in those cases. There *is* as a resource there, it's just forbidden to that user (or role, or what have you).

The simple way to do this is Rails is:

head :forbidden

Nick Kallen has shown a nice pattern[1] for doing this type of thing consistently across your app, using Rails' rescue_action method.

In reality you might want to override rescue_action_in_public instead -- check the API docs to get more of an idea of how these methods work, like how to make sure you can still render a custom error file.

Thanks for all the great Railscasts, Ryan.

[1] https://blabs.pivotallabs.com/users/nick/blog/articles/272-access-control-permissions-in-rails

Avatar
dazza over 16 years ago

great tips...

I added logged_in? to admin? to stop nil object errors...

 def admin?
    logged_in? && current_user.login == "admin"
  end

Avatar
dazza over 16 years ago

woop...

I keep getting a major loop happening between the before_filter in my root controller...and the app controller authorize function, because if the filter chain is halted due to the admin not being logged in, the redirect is back to my root controller, which then calls the authorize function from the before filter...thus creating a loop...

so to remedy...this, from authorize
 I redirect to the /sessions/new which is fine...but now every route /url is redirected there ... even though I have an :except in my before filter

any ideas?

cheers

dion

Avatar
dazza over 16 years ago

fixed...sorry for the spam

before_filter :my_authenticate , :except => [:index, :show]

Avatar
bryan over 16 years ago

Hey Ryan,

As always, your webcasts are exceptional. They've helped me out tremendously in all the Rails applications I've been working on.

Quick question... have you ever done any role-based access control? If so, maybe this could be a topic for one of your future webcasts?!

--
Thanks!

Avatar
Dale over 16 years ago

Will this still work for Rails 2.0 or is there a better way of doing it now?

Avatar
Michael over 15 years ago

Hi Ryan,

Whats the bet way to handle roles now wuld you use http://www.writertopia.com/developers/authorization ?

Avatar
Shaun over 15 years ago

Hi

I understand how to implement roles on the entire site, but how would you break this down even further, to an account level for example?

I have an application that hold accounts. Each account can have multiple users with multiple roles and each user could belong to multiple accounts, again, with differing roles. An editor of one account may be the owner of another, for example.

I'm struggling to see how I can check to see if the currently logged in user is in a particular role for the account that they are trying to access.

So far I have tried using a Privileges table that holds a user_id, role_id and account_id, but I can't find a way to find out if the current user within the current account belongs to a certain role.

Confused and probably making it worse for myself...

Thanks for the great post.

Avatar
nruth over 15 years ago

With the default session store (cookies) the password will be stored in clear text on your pc.

It's worth looking at these links if you're concerned about how secure your login process is (you should be).

http://guides.rubyonrails.org/action_controller_overview.html#session

http://guides.rubyonrails.org/security.html

Avatar
same almost 15 years ago

hi
i'm new on ruby on rails
i have user and book model
user model contains login actions when i wrote this to the application controller
current_user.user_name == "Writer"
i'm having an error message
--undefined local variable or method `current_user' for #<BookController:0x77131b0>
why i'm having this message?
how to fix

Avatar
Vasena almost 15 years ago

i have user and book model

Avatar
ssipiora about 12 years ago

Great screencast series. This is exactly what I'm looking for. Sadly it doesn't work for Rails 3.2. Helper method's seem to have changed in Rails 3. Any tips?

Avatar
abhi619 almost 11 years ago

I don't want to use any gem for authorization
so can you please help me out to use this particular authorization technique when we have multiple roles for the user.

I want to use it on rails 4

Avatar
antivirussupport1 about 7 years ago

Antivirus Support -Contact for assistance on Antivirus, Internet Security, and security software. Make your computer secure and virus free.