Develop Reference

Rails pundit gem, permit view to non signed-in users

I'm using the pundit gem in order to give permissions to three different users(Admin, seller, viewer). Currently I got everything working, admin has access to everything, seller to his own products and viewer can just view the products.
The only glitch I'm having is that I would like the non signed_up/signed_in users to be able to view the products via search results. Right now non sign_up/signed_in users can see the search results but don't have access to the show view.
Here is the setup I have:
class ItemPolicy < ApplicationPolicy
attr_reader :item
def initialize(user, record)
super(user, record)
#user = user
#item = record
end
def update?
#user.is_a?(Admin) ? item.all : #user.items
end
def index?
#user.is_a?(Admin) ? item.all : #user.items
end
def show?
#user.is_a?(Admin) ? item.all : #user.items
end
def create?
#user.is_a?(Admin) ? item.all : #user.items
end
def new?
#user.is_a?(Admin) ? item.all : #user.items
end
def edit?
#user.is_a?(Admin) ? item.all : #user.items
end
def destroy?
#user.is_a?(Admin) ? item.all : #user.items
end
class Scope < Struct.new(:user, :scope)
def resolve
if user.is_a?(Admin)
scope.where(:parent_id => nil)
elsif user.is_a?(Seller)
scope.where(:id => user.items)
end
end
def show?
return true if user.is_a?(Admin)
return true if user.seller_id == seller.id && user.is_a?(Seller)
false
end
end
end
the controller:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize Item
#items = policy_scope(Item)
end
def search
if params[:term]
#items = Item.search(params[:term]).order("created_at DESC")
else
#items = []
end
end
def show
#comments = Comment.where(item_id: #item).order("created_at DESC")
#items = policy_scope(Item).find(params[:id])
authorize #item
end
def new
#item = Item.new
authorize #item
#categories = Category.order(:name)
end
def edit
authorize #item
#categories = Category.order(:name)
end
def create
#item = Item.new(item_params)
authorize #item
respond_to do |format|
if #item.save
format.html { redirect_to #item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: #item }
else
format.html { render :new }
format.json { render json: #item.errors, status: :unprocessable_entity }
end
end
end
def update
authorize #item
respond_to do |format|
if #item.update(item_params)
format.html { redirect_to #item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: #item }
else
format.html { render :edit }
format.json { render json: #item.errors, status: :unprocessable_entity }
end
end
end
def destroy
authorize #item
#item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
#item = Item.find(params[:id])
authorize #item
end
def item_params
params.require(:item).permit(:title, :description, :image, :price, :category_id)
end
end
application_contoller.rb
class ApplicationController < ActionController::Base
include Pundit
protect_from_forgery prepend: true
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
def pundit_user
current_seller || current_admin || current_viewer
end
private
def user_not_authorized(exception)
policy_name = exception.policy.class.to_s.underscore
flash[:warning] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
redirect_to(request.referrer || root_path)
end
end
Update 1
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
raise Pundit::NotAuthorizedError, "must be logged in" unless user
#user = user
#record = record
end
def index?
true # anybody can view
end
def show?
true # anybody can view
end
def search?
index?
end
def new?
create?
end
def edit?
update?
end
def destroy?
update?
end
private
# don't repeat yourself
def admin?
user.is_a?(Admin)
end
def seller?
user.is_a?(Seller)
end
end
class ItemPolicy < ApplicationPolicy
attr_reader :item
class Scope < Struct.new(:user, :scope)
def resolve
if admin?
scope.where(parent_id: nil)
elsif seller?
# avoids a query for user.items
scope.where(seller: user)
end
end
end
def initialize(user, record)
super(user, record)
#user = user
#item = record
end
def update?
admin? || is_owner?
end
def create?
# just guessing here
admin? || seller?
end
private
def is_owner?
# or whatever the association between the item and its owner is
item.seller == user
end
end

You are confusing scopes and the authorization methods in Pundit. The new?, show? etc. methods should return a boolean indicating if the user is allowed to perform the action at all.
To allow unauthorized users to perform an action you simply return true.
Scopes are used to narrow down which records the user has access to. They only have a resolve method.
class ApplicationPolicy
# ...
private
# don't repeat yourself
def admin?
user.is_a?(Admin)
end
def seller?
user.is_a?(Seller)
end
end
class ItemPolicy < ApplicationPolicy
attr_reader :item
class Scope < Struct.new(:user, :scope)
def resolve
if admin?
scope.where(parent_id: nil)
elsif seller?
# avoids a query for user.items
scope.where(seller: user)
end
end
end
def initialize(user, record)
super(user, record)
#user = user
#item = record
end
def update?
admin? || is_owner?
end
def index?
true # anybody can view
end
def show?
true # anybody can view
end
def search?
index?
end
def create?
# just guessing here
admin? || seller?
end
def new?
create?
end
def edit?
update?
end
def destroy?
update?
end
private
def is_owner?
# or whatever the association between the item and its owner is
item.seller == user
end
end
Instead of repeating yourself (the conditions) you can shortcut many of the actions since the permissions for editing for example is the same as updating. You can even do this in the ApplicationPolicy so that you don't have to repeat it in each policy class:
class ApplicationPolicy
# ...
def index?
true # anybody can view
end
def show?
true # anybody can view
end
def search?
index?
end
def new?
create?
end
def edit?
update?
end
def destroy?
update?
end
private
# don't repeat yourself
def admin?
user.is_a?(Admin)
end
def seller?
user.is_a?(Seller)
end
end
class ItemPolicy < ApplicationPolicy
attr_reader :item
class Scope < Struct.new(:user, :scope)
def resolve
if admin?
scope.where(parent_id: nil)
elsif seller?
# avoids a query for user.items
scope.where(seller: user)
end
end
end
def initialize(user, record)
super(user, record)
#user = user
#item = record
end
def update?
admin? || is_owner?
end
def create?
# just guessing here
admin? || seller?
end
private
def is_owner?
# or whatever the association between the item and its owner is
item.seller == user
end
end
You are also authorizing the user twice at many places in your controller as it is as already performed by the set_item callback:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize Item
#items = policy_scope(Item)
end
def search
if params[:term]
#items = Item.search(params[:term]).order("created_at DESC")
else
#items = Item.none # Don't use [] as #items.none? for example would blow up.
end
end
def show
#comments = Comment.where(item_id: #item).order("created_at DESC")
authorize #item
end
def new
#item = authorize(Item.new)
#categories = Category.order(:name)
end
def edit
#categories = Category.order(:name)
end
def create
#item = authorize(Item.new(item_params))
respond_to do |format|
if #item.save
format.html { redirect_to #item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: #item }
else
format.html { render :new }
format.json { render json: #item.errors, status: :unprocessable_entity }
end
end
end
def update
respond_to do |format|
if #item.update(item_params)
format.html { redirect_to #item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: #item }
else
format.html { render :edit }
format.json { render json: #item.errors, status: :unprocessable_entity }
end
end
end
def destroy
#item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
#item = authorize( Item.find(params[:id]) )
end
def item_params
params.require(:item).permit(:title, :description, :image, :price, :category_id)
end
end

How to Navigate to User's Specific Path?

I have a Vitals Page for each user
This is populated in the above vitals path from various models I have in my app.
User1 books an appointment with User2 (Doctor) ....(I don't have 2 user types)
User 2's View of Appointment booked by User1
When User2 click's on the Vitals and Reports in the Your Patients Section....
I am still seeing the Vitals and Reports of User2 but I want to see User 1's Vital and Reports Pages.
How do I do it??
This is my Reports Controller:
class ReportsController < ApplicationController
before_action :set_report, only: [:show, :edit, :update, :destroy]
before_action :authenticate_user!
# GET /reports
# GET /reports.json
def index
#reports = current_user.reports
end
# GET /reports/1
# GET /reports/1.json
def show
end
# GET /reports/new
def new
#report = current_user.reports.build
end
# GET /reports/1/edit
def edit
end
# POST /reports
# POST /reports.json
def create
#report = current_user.reports.build(report_params)
respond_to do |format|
if #report.save
format.html { redirect_to #report, notice: 'Report was successfully created.' }
format.json { render :show, status: :created, location: #report }
else
format.html { render :new }
format.json { render json: #report.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /reports/1
# PATCH/PUT /reports/1.json
def update
respond_to do |format|
if #report.update(report_params)
format.html { redirect_to #report, notice: 'Report was successfully updated.' }
format.json { render :show, status: :ok, location: #report }
else
format.html { render :edit }
format.json { render json: #report.errors, status: :unprocessable_entity }
end
end
end
# DELETE /reports/1
# DELETE /reports/1.json
def destroy
if current_user.id == #report.user.id
#report.destroy
respond_to do |format|
format.html { redirect_to reports_url, notice: 'Report was successfully destroyed.' }
format.json { head :no_content }
end
else
redirect_to root_path, notice: "You don't have permission."
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_report
#report = Report.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def report_params
params.require(:report).permit(:name, :attachment)
end
end
And this is my Appointments Controller:
class AppointmentsController < ApplicationController
before_action :authenticate_user!, except: [:notify]
def preload
practice = Practice.find(params[:practice_id])
today = Date.today
appointments = practice.appointments.where("date >= ?", today)
render json: appointments
end
def create
#appointment = current_user.appointments.create(appointment_params)
if #appointment
# send request to PayPal
values = {
business: 'abc#gmail.com',
cmd: '_xclick',
upload: 1,
notify_url: 'url.com',
amount: #appointment.price,
item_name: #appointment.practice.speciality,
item_number: #appointment.id,
quantity: '1',
return: 'url.com/your_trips'
}
redirect_to "https://www.sandbox.paypal.com/cgi-bin/webscr?" + values.to_query
else
redirect_to #appointment.practice, alert: "Oops, something went wrong..."
end
end
protect_from_forgery except: [:notify]
def notify
params.permit!
status = params[:payment_status]
appointment = Appointment.find(params[:item_number])
if status == "Completed"
appointment.update_attributes status: true
else
appointment.destroy
end
render nothing: true
end
protect_from_forgery except: [:your_trips]
def your_trips
#trips = current_user.appointments.where("status = ?", true)
end
def your_appointments
#practices = current_user.practices
end
def check_date_time
if params[:time].blank? || params[:date].blank?
render json: {status: true}
else
arr = []
arr1 = []
Appointment.where(practice_id: params[:practice_id]).map{|a| arr << "#{a.date} #{a.time.strftime("%T") }" unless a.time.nil? }
arr.map{|a| arr1 << DateTime.parse(a).to_i }
d = DateTime.parse("#{params[:date]} #{params[:time]}").to_i
if arr1.include?(d)
render json: {status: false}
else
render json: {status: true}
end
end
end
private
def appointment_params
params.require(:appointment).permit(:date, :hour, :price, :reason, :practice_id, :time)
end
end

Can't create data rails, no method error

I'm implementing a website using Ruby on Rails. I have a trouble which I cannot create a new data and save to my model. The error i got is this which the error pointed to the #vpermits = current_user.vpermits.build(vpermit_params). Anyone have idea on what I have i done wrong?
NoMethodError in VisitorPermitsController#create
undefined method `vpermits' for #<User:0x9b7b478>
def create
#vpermits = current_user.vpermits.build(vpermit_params)
if #vpermits.save
redirect_to #vpermits
else
This is my visitor_permits_controller.rb
class VisitorPermitsController < ApplicationController
before_action :set_vpermit, only: [:destroy]
def index
#vpermits = VisitorPermit.where(:user_id => current_user.id)
end
def new
#vpermits = VisitorPermit.new
end
def create
#vpermits = current_user.vpermits.build(vpermit_params)
if #vpermits.save
redirect_to #vpermits
else
render 'new'
end
end
def destroy
VisitorPermit.destroy_all(user_id: current_user)
respond_to do |format|
format.html { redirect_to root_path, notice: 'Permit was successfully canceled.' }
format.json { head :no_content }
end
end
def show
#vpermits = VisitorPermit.find(params[:id])
end
def update
#vpermits = VisitorPermit.where(user_id: current_user).take
respond_to do |format|
if #vpermits.update(vpermit_params)
format.html { redirect_to root_path}
flash[:success] = "Permit successfully updated"
format.json { render :show, status: :ok, location: #user }
else
format.html { render :edit }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
def edit
#vpermits = VisitorPermit.find(params[:id])
end
private
# Use callbacks to share common setup or constraints between actions.
def set_vpermit
#vpermits = VisitorPermit.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def vpermit_params
params.require(:visitor_permit).permit(:vehicle_type, :name, :department, :carplate, :duration, :permitstart, :permitend)
end
end

From your code you might have association(has_many) between User and VistorPermit models. And you gave your model name as VistorPermit. So the
line of code for buliding should be like this:
#vpermits = current_user.vistor_permits.build(vpermit_params)

Rails polymorphic commenting with permalink/token urls

In my app I have a commenting system that's largely based off of this railscast. Now in my models I'm changing the to_param to a random string so the id isn't in the url. But then that breaks commenting.
status.rb
class Status < ActiveRecord::Base
attr_accessible :content, :member_id, :document_attributes, :permalink
belongs_to :member
belongs_to :document
has_many :comments, as: :commentable, dependent: :destroy
before_create :make_it_permalink
accepts_nested_attributes_for :document
def to_param
permalink
end
private
def make_it_permalink
# this can create permalink with random 12 digit alphanumeric
self.permalink = SecureRandom.hex(12)
end
end
statuses_controller.rb
class StatusesController < ApplicationController
before_filter :authenticate_member!, only: [:index, :new, :create, :destroy]
before_filter :find_member
rescue_from ActiveRecord::RecordNotFound do
render file: 'public/404', status: 404, formats: [:html]
end
def index
#statuses = Status.order('created_at desc').page(params[:page]).per_page(21)
respond_to do |format|
format.html # index.html.erb
format.js
end
end
def show
#status = Status.find_by_permalink(params[:id])
#commentable = #status
#comments = #commentable.comments.order('created_at desc').page(params[:page]).per_page(15)
#comment = #commentable.comments.new
respond_to do |format|
format.html # show.html.erb
format.json { redirect_to profile_path(current_member) }
end
end
def new
#status = Status.new
#status.build_document
respond_to do |format|
format.html # new.html.erb
format.json { render json: #status }
format.js
end
end
def create
#status = current_member.statuses.new(params[:status])
respond_to do |format|
if #status.save
#activity = current_member.create_activity(#status, 'created')
format.html { redirect_to :back }
format.json
format.js
else
format.html { redirect_to profile_path(current_member), alert: 'Post wasn\'t created. Please try again and ensure image attchments are under 10Mbs.' }
format.json { render json: #status.errors, status: :unprocessable_entity }
format.js
end
end
end
def destroy
#status = current_member.statuses.find(params[:id])
#activity = Activity.find_by_targetable_id(params[:id])
#commentable = #status
#comments = #commentable.comments
if #activity
#activity.destroy
end
if #comments
#comments.destroy
end
#status.destroy
respond_to do |format|
format.html { redirect_to profile_path(current_member) }
format.json { head :no_content }
end
end
private
def find_member
#member = Member.find_by_user_name(params[:user_name])
end
def find_status
#status = current_member.statuses.find_by_permalink(params[:id])
end
end
comments_controller.rb
class CommentsController < ApplicationController
before_filter :authenticate_member!
before_filter :load_commentable
before_filter :find_member
def index
redirect_to root_path
end
def new
#comment = #commentable.comments.new
end
def create
#comment = #commentable.comments.new(params[:comment])
#comments = #commentable.comments.order('created_at desc').page(params[:page]).per_page(15)
#comment.member = current_member
respond_to do |format|
if #comment.save
format.html { redirect_to :back }
format.json
format.js
else
format.html { redirect_to :back }
format.json
format.js
end
end
end
def destroy
#comment = Comment.find(params[:id])
respond_to do |format|
if #comment.member == current_member || #commentable.member == current_member
#comment.destroy
format.html { redirect_to :back }
format.json
format.js
else
format.html { redirect_to :back, alert: 'You can\'t delete this comment.' }
format.json
format.js
end
end
end
private
# def load_commentable
# resource, id = request.path.split('/')[1,2] # photos/1/
# #commentable = resource.singularize.classify.constantize.find(id) # Photo.find(1)
# end
# alternative option:
def load_commentable
klass = [Status, Medium, Project, Event, Listing].detect { |c| params["#{c.name.underscore}_id"] }
#commentable = klass.find(params["#{klass.name.underscore}_id"])
end
#def load_commentable
# #commentable = params[:commentable_type].camelize.constantize.find(params[:commentable_id])
#end
def find_member
#member = Member.find_by_user_name(params[:user_name])
end
end
The problem lies in the load_commentable method in the comments_controller. I've tried a couple different variations of the method but the second one works best for my app and it was working when the url's had their id's in them. But since I overwrote the to_param to use my random permalink commenting stopped working because it's trying to find theid where it equals the permalink. Since it seems to try to find the id through the url, how do I pass the the actual id and not the permalink or how do I find commentable by it's permalink instead of id?

It's hard to tell if your param will always be the value of id or always be the permalink, or will sometimes be an id and sometimes a permalink.
If it will always be a permalink, then do:
#commentable = klass.find_by_permalink(params["#{klass.name.underscore}_id"])
instead of
#commentable = klass.find(params["#{klass.name.underscore}_id"])
If it is sometimes id and sometimes other, then you will need make logic to determine which is needed based on the class.

Rails 3: despair - cannot login to successfully created account with Authlogic

I installed Authlogic gem, set up controllers and models. When I make a registration of new account with Authlogic, everything is successfully created in the DB table (like crypted_password, password_salt etc).
The components: UserSessionsController:
# encoding: utf-8
class UserSessionsController < ApplicationController
def new
#user_session = UserSession.new
end
def create
#user_session = UserSession.new(params[:user_session])
respond_to do |format|
if #user_session.save
format.html { redirect_to(root_url, :flash => { success: 'Successfully logged in.'}) }
format.xml { render :xml => #user_session, :status => :created, :location => #user_session }
else
format.html { #render :action => :new
redirect_to :back
flash[:warning] = 'Wrong credentials.'
}
format.xml { render :xml => #user_session.errors, :status => :unprocessable_entity }
end
end
end
def signin
#user_session = UserSession.new
end
def destroy
#user_session = UserSession.find
#user_session.destroy
respond_to do |format|
format.html { redirect_to(root_url, :notice => 'Logged out.') }
format.xml { head :ok }
end
end
end
UsersController
class UsersController < ApplicationController
filter_access_to :all
def index
#users = User.all
respond_to do |format|
format.html # index.html.erb
format.json { render json: #users }
end
end
def show
#user = User.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.json { render json: #user }
end
end
def signup
#user = User.new
#categories = Category.order('name')
end
def new
#user = User.new
#categories = Category.order('name')
respond_to do |format|
format.html # new.html.erb
format.json { render json: #user }
end
end
def edit
#user = User.find(params[:id])
#categories = Category.order('name')
redirect_to root_url unless current_user.id == #user.id
end
def create
params[:user][:id_code] = User.random_numbers
params[:user][:url_name] = params[:user][:name].parameterize
#user = User.new(params[:user])
respond_to do |format|
if #user.save
Assignment.create(:user_id => #user.id, :role_id => MEMBER)
format.html { redirect_to root_url, notice: 'User was successfully created.' }
format.json { render json: #user, status: :created, location: #user }
else
format.html { render action: "new" }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
def update
#user = User.find(params[:id])
respond_to do |format|
if #user.update_attributes(params[:user])
format.html { redirect_to #user, notice: 'User was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
def destroy
#user = User.find(params[:id])
#user.destroy
respond_to do |format|
format.html { redirect_to users_url }
format.json { head :no_content }
end
end
end
application_controller.rb
class ApplicationController < ActionController::Base
protect_from_forgery
before_filter :mailer_set_url_options
before_filter :set_current_user
helper_method :current_user_session, :current_user
def mailer_set_url_options
ActionMailer::Base.default_url_options[:host] = request.host_with_port
end
protected
def set_current_user
Authorization.current_user = current_user
end
private
def current_user_session
logger.debug "ApplicationController::current_user_session"
return #current_user_session if defined?(#current_user_session)
#current_user_session = UserSession.find
end
def current_user
logger.debug "ApplicationController::current_user"
return #current_user if defined?(#current_user)
#current_user = current_user_session && current_user_session.user
end
def authentication
logger.debug "ApplicationController::authentication"
unless current_user
#store_location
flash[:warning] = "You must be logged out to access this page"
redirect_to root_url
return false
end
end
end
user_session.rb
class UserSession < Authlogic::Session::Base
# attr_accessible :data, :sessions_id
generalize_credentials_error_messages "Login info is invalid!"
def to_key
new_record? ? nil : [ self.send(self.class.primary_key) ]
end
self.logout_on_timeout = true
def persisted?
false
end
end
user.rb
class User < ActiveRecord::Base
attr_accessible #list of all columns
acts_as_authentic do |c|
c.login_field = 'email'
c.logged_in_timeout(15.minutes)
end
has_many :assignments
has_many :roles, :through => :assignments
#validates...
# declarative_authentications
def role_symbols
roles.map do |role|
role.name.underscore.to_sym
end
end
end
I am trying to solve this issue already second day, but I still cannot find the problem... In the DB table are all data needed for Authlogic created, but when I try to log in, I always get the error message Wrong credentials..
Could anyone help me, please, with this problem? I already have no idea, how to fix it :/

Ok, problem seems to be solved - I used for my purposes the column name active, which using also Authlogic.
Renamed to activity and everything is working well.