In my Rails 7 app I've got custom two_factor_authentication. Now I want to enable this 2fa only in development and test environment.
class ApplicationController < ActionController::Base
before_action :check_two_factor_authentication, except: :check_authentication
private
def check_two_factor_authentication
return true unless session[:challenge_id]
redirect_to two_factor_path
end
I've no idea what is check_authentication because inside entire app there is no such method - it comes from Devise gem I guess.
How to set that before action only to development environment?
have you tried
if %w(development test).include?(Rails.env)
before_action :check_two_factor_authentication, except: :check_authentication
end
?
You can use Rails.env.development? (or Rails.env.production?) to test which environment you are in.
if Rails.env.development?
before_action :check_two_factor_authentication, except: :check_authentication
end
Related
I have reviews set up similar to Airbnb.
These abilities should allow a guest to review a host, and a host to review a guest:
# ability.rb
can [:show], [Review] do |review|
if review.reviewable_type == "Host"
review.booking.guest_id == user.guest.id
elsif review.reviewable_type == "Guest"
review.booking.host_id == user.host.id
end
end
Here's the controller:
class ReviewsController < ApplicationController
authorize_resource
before_action :set_review, only: [:show]
def show
end
private
def set_review
#review = Review.find_by_id(params[:id])
end
end
When testing, everything works
host = Host.first
review = Review.first # A review of a host
ability = Ability.new(host.user)
ability.can?(:show, review)
# Returns false as expected
review2 = Review.second # A review of a guest
ability.can?(:show, review2)
# Returns true as expected
So everything's fine until this point.
But when I login as the host and visit the review for myself, I can review myself! The exact logic above denies access when it's tested in the console.
Why does cancancan prevent access in the console, but allow access in the browser?
Total noob mistake.
I had
authorize_resource
before_action :set_review, only: [:show]
But authorize_resource should be called after the before_action that sets the model instance for the action.
So after this simple reordering, it works as expected:
before_action :set_review, only: [:show]
authorize_resource
I am using existing rails application, where we currently use devise for authentication and Pundit for authorization. My requirement is to skip all policies scope authorization for all action in this existing rails application. How Can I do this?
I have tried below code but not worked:-
class ApplicationController < ActionController::Base
include Pundit
protect_from_forgery with: :exception
before_action :authenticate_user!, :set_default_timezone#, :modify_search_params
before_action :set_current_user
skip_after_action :verify_policy_scoped
#.....
end
Thanks in advance :)
Pundit provides skip_authorization to skip his authorization. Executing it before all actions of the controller will make it work for your requirement.
class ApplicationController < ActionController::Base
# ...
before_action :skip_all_authorization
private
def skip_all_authorization
skip_authorization
end
# ...
end
You need to skip both action authorization with an object (which are called by using authorize(object) and with a policy scope (called with policy_scope).
You can skip the hooks on your base class:
skip_after_action :verify_policy_scoped
skip_after_action :verify_authorized
Or just add another hook to skip them on your controller (my preferred approach)
after_action :skip_all_authorization
private
def skip_all_authorization
skip_policy_scope
skip_authorization
end
But by the way, you shouldn't need this unless you're ensuring the policy is called by adding the appropriate hooks.
In order do add security in devise, i need to set the "before_filter" thingy, like:
before_filter :authenticate_student!, only: [:new, :edit]
which is great... But my app need two user types... students and teachers. How do i make the controller just check if any of then is authenticate?
like:
before_filter :authenticate_any!, only: [:new, :edit]
How can i archive that?
I am using Ruby 2.2.0, and rails 4.
Just define those methods in your application controller
class ApplicationController < ActionController::Base
def authenticate_student!
authenticate_user! && current_user.student?
end
def authenticate_any!
authenticate_user!
end
end
You may complete the code of how to check student?
I'm getting a redirect loop. I have a clear idea why, user is logged out, redirected to login page (welcome#index) and user is still logged out and we have an endless loop.
How do I get out of loop?
I read about several options.
before_action :require_login placing it inside controllers where login is required. EASY, but a lot of copy paste, we love dry don't' we?
except, before_action :require_login, :except => root? I couldn't find details about except. I'm getting a lot of hits on before_filter which seems to be deprecated.
skip_before_action same here, I can only find bits and pieces :(
There should be a better way to handle these, is it rails way to do check routes level in config/routes.rb?
Application controller:
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
helper_method :current_user
before_action :require_login
private
def current_user
#current_user ||= Dedit::User.find(session[:user_id]) if session[:user_id]
end
private
def require_login
redirect_to root_path unless current_user.present?
end
end
login page controller:
class WelcomeController < ApplicationController
layout 'basic'
def index
if current_user.present? then redirect_to dedit_path end
end
end
before_action :require_login, except: [:index]
I am setting up a very simple rails app that involves a simple authentication check before you can enter the site. But, when the before_filter runs, and the user is redirected to the login path, a redirect loop occurs.
ApplicationController:
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
before_filter :check_session
private
def check_session
redirect_to login_path and return unless current_user?
end
def current_user?
!session[:username].blank?
end
end
SessionsController
class SessionsController < ApplicationController
def new
end
end
The issue is that, since your SessionsController inherits from ApplicationController, it actually inherits the before_filter as well. This means you are not allowing someone to see the login page unless they are logged in, which is usually undesirable behavior. You want to skip this before_filter on the login page:
class SessionsController < ApplicationController
skip_before_filter :check_session, only: :new
def new
end
end
I think you have problem in your routes. One way of solution is defining a root path for your app as:
root 'app_entry#index'
Then create a controller for it as given below:
class AppEntryController < ApplicationController
def index
if current_user
redirect_to 'controller_name/action_name'
else
redirect_to '/users/sign_in'
end
end
Hope this helps you.
You should use the before filter like this
before_filter :check_session, :except => [:new]