I'm completely new to Ruby on Rails and I'm stuck with giving specific roles permissions. I created 8 different roles with an enum. 2 of them should be allowed to create some "cases". How can I implement that? Maybe someone can help me? Is giving permission the right way?
PS: I'm using Rails 6.0.3.4.
Here my code:
Cases Controller:
class CasesController < ApplicationController
before_action :set_case, only: [:show, :edit, :update, :destroy]
# GET /cases
# GET /cases.json
def index
#cases = Case.all
end
# GET /cases/1
# GET /cases/1.json
def show
end
# GET /cases/new
def new
#case = Case.new
end
# GET /cases/1/edit
def edit
end
# POST /cases
# POST /cases.json
def create
#case = Case.new(case_params)
respond_to do |format|
if #case.save
format.html { redirect_to #case, notice: 'Case was successfully created.' }
format.json { render :show, status: :created, location: #case }
else
format.html { render :new }
format.json { render json: #case.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /cases/1
# PATCH/PUT /cases/1.json
def update
respond_to do |format|
if #case.update(case_params)
format.html { redirect_to #case, notice: 'Case was successfully updated.' }
format.json { render :show, status: :ok, location: #case }
else
format.html { render :edit }
format.json { render json: #case.errors, status: :unprocessable_entity }
end
end
end
# DELETE /cases/1
# DELETE /cases/1.json
def destroy
#case.destroy
respond_to do |format|
format.html { redirect_to cases_url, notice: 'Case was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_case
#case = Case.find(params[:id])
end
# Only allow a list of trusted parameters through.
def case_params
params.require(:case).permit(:first_name, :last_name, :gender, :birthdate, :place_of_residence, :diagnosis, :user_id, :confirmed_at)
end
end
Application Controler:
class ApplicationController < ActionController::Base
before_action :authenticate_user!
end
User.rb
class User < ApplicationRecord
enum role: [:user, :vip, :admin, :arzt, :labor, :ga, :ls, :rki]
after_initialize :set_default_role, if: :new_record?
def set_default_role
self.role ||= :user
end
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :validatable
end
Simplest solution might be a before action...
CasesController << ApplicationController
before_action :allowed_to_create, only: [:new, :create]
private
def allowed_to_create
unless current_user.role.in?(['type1', 'type2'])
flash[:error] = 'You are not allowed to do that'
redirect_to root_path
end
end
end
If your permmissions are likely to be more complex, take a look at the cancancan gem.
Related
notes use rails 5.2 and postgresql
I have Foluser model contains name,email,password,id_watch
I need when admin add new foluser
generate password
when admin create new foluser generate password like Secure Password Generator
get id_watch from admin model and put it to id_watch from Foluser model
Adminwhen register enterusername,email,password,id_watch`
in point 2 need take this id_watch and save it in user model .
admin only create foluser
`
class FolusersController < ApplicationController
before_action :set_foluser, only: [:show, :edit, :update, :destroy]
before_action :authenticate_user!, except: [:index, :show, :new , :create, :edit]
# GET /folusers
# GET /folusers.json
def index
#folusers = current_master.foluser.all
#render json: #folusers
end
# GET /folusers/1
# GET /folusers/1.json
def show
##folusers = Foluser.where(master_id: #master.id).order("created_at DESC")
##foluser = Foluser.find(params[:id])
#render json: #foluser
end
# GET /folusers/new
def new
#foluser = current_master.foluser.build
end
# GET /folusers/1/edit
def edit
#render json: #foluser
end
# POST /folusers
# POST /folusers.json
def create
#foluser = current_master.foluser.build(foluser_params)
respond_to do |format|
if #foluser.save
format.html { redirect_to #foluser, notice: 'Foluser was successfully created.' }
format.json { render :show, status: :created, location: #foluser }
else
format.html { render :new }
format.json { render json: #foluser.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /folusers/1
# PATCH/PUT /folusers/1.json
def update
respond_to do |format|
if #foluser.update(foluser_params)
format.html { redirect_to #foluser, notice: 'Foluser was successfully updated.' }
format.json { render :show, status: :ok, location: #foluser }
else
format.html { render :edit }
format.json { render json: #foluser.errors, status: :unprocessable_entity }
end
end
end
# DELETE /folusers/1
# DELETE /folusers/1.json
def destroy
#foluser.destroy
respond_to do |format|
format.html { redirect_to folusers_url, notice: 'Foluser was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_foluser
#foluser = Foluser.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def foluser_params
params.require(:foluser).permit(:name, :email, :numberphone, :password)
end
end
foluser model
class Foluser < ApplicationRecord
belongs_to :admin, :optional => true
end
admin model
class Master < ApplicationRecord
has_many :foluser
end
Using your current code, setting the id_watch can be done here in the controller:
class FolusersController < ApplicationController
def create
#foluser = current_master.folusers.build(foluser_params)
#foluser.id_watch = current_master.id_watch # <-- !!!
respond_to do |format|
if #foluser.save
# ...
end
end
end
end
Despite our extended conversation above, I'm still unclear what you're trying to achieve with the "password generation".
(Should it be generated in the front-end, or the back-end? Should it be stored encrypted, or in plain text? If encrypted, do you need to be able to reverse this encryption? Is it a "permanent" password, or a "temporary" password? ...)
Therefore, the following code should be taken with a big pinch of salt - since I still don't really know what the desired/correct behaviour is.
In the FolusersController, you've defined the following method:
def foluser_params
params.require(:foluser).permit(:name, :email, :numberphone, :password)
end
However, if you want the password to be generated by the server then you shouldn't be allowing the admin to set the password through the controller. Therefore, remove this parameter:
def foluser_params
params.require(:foluser).permit(:name, :email, :numberphone)
end
And then somewhere - perhaps in the controller, or as a hook in the model - set this password to something random:
class FolusersController < ApplicationController
def create
#foluser = current_master.folusers.build(foluser_params)
#foluser.password = SecureRandom.hex(10 + rand(6))
# ...
end
end
# or
class Foluser < ApplicationRecord
after_initialize :default_password
def default_password
self.password ||= SecureRandom.hex(10 + rand(6))
end
end
I think you found the solution, use rails callbacks in your model to extract this kind of logic from the controller.
But I'd rather use after_initialize than before_save so that you won't set a default password before each save(so possibly even update action)
Then use things like SecureRandom (ActiveSupport concern) (already bundled by rails, no requires required)
after_initialize :defaultpassword
...
def default_password
self.password ||= SecureRandom.hex(10 + rand(6))
end
not the best way to do random I know but feel free to customize it.
secure_random output examples:
=>bf8d42b174d297f6460eef
=>efd28869171a1ec89c3438
=>3855c61fb6b90ed549d777
am using devise for authentication in a rails app everything is working fine, but i have a post model and after signing up when i try to create a new post it shows up an error:
1 error prohibited this post from being saved:
User must exist
I looked into the terminal and got this:
Unpermitted parameter: user_id
(0.0ms) begin transaction
(0.0ms) rollback transaction
i tried adding a user controller
users_controller.rb
class UsersController < ApplicationController
before_action :authenticate_user!
before_action :set_user
before_action :check_ownership, only: [:edit, :update]
respond_to :html, :js
# GET /users
# GET /users.json
def index
#users = User.all
end
# GET /users/1
# GET /users/1.json
def show
end
# GET /users/new
def new
#user = User.new
end
# GET /users/1/edit
def edit
end
# POST /users
# POST /users.json
def create
#user = User.new(user_params)
respond_to do |format|
if #user.save
format.html { redirect_to #user, notice: 'User was successfully created.' }
format.json { render action: 'show', status: :created, location: #user }
else
format.html { render action: 'new' }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /users/1
# PATCH/PUT /users/1.json
def update
respond_to do |format|
if #user.update(user_params)
format.html { redirect_to #user, notice: 'User was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: 'edit' }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
#user.destroy
respond_to do |format|
format.html { redirect_to users_url }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_user
#user = User.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def user_params
params.require(:user).permit(:name, :email)
end
end
my posts_controler.rb
class PostsController < ApplicationController
before_action :authenticate_user!, :except => [:show, :index]
before_action :set_post, only: [:show, :edit, :update, :destroy]
# GET /posts
# GET /posts.json
def index
#posts = Post.all
end
# GET /posts/1
# GET /posts/1.json
def show
end
# GET /posts/new
def new
#post = Post.new
end
# GET /posts/1/edit
def edit
end
# POST /posts
# POST /posts.json
def create
#post = Post.new(post_params)
respond_to do |format|
if #post.save
format.html { redirect_to #post, notice: 'Post was successfully created.' }
format.json { render :show, status: :created, location: #post }
else
format.html { render :new }
format.json { render json: #post.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /posts/1
# PATCH/PUT /posts/1.json
def update
respond_to do |format|
if #post.update(post_params)
format.html { redirect_to #post, notice: 'Post was successfully updated.' }
format.json { render :show, status: :ok, location: #post }
else
format.html { render :edit }
format.json { render json: #post.errors, status: :unprocessable_entity }
end
end
end
# DELETE /posts/1
# DELETE /posts/1.json
def destroy
#post.destroy
respond_to do |format|
format.html { redirect_to posts_url, notice: 'Post was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_post
#post = Post.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def post_params
params.require(:post).permit(:tittle, :body)
end
end
My user model
class User < ApplicationRecord
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
has_many :posts
end
My post model
class Post < ApplicationRecord
belongs_to :user
end
i have also added user_id to user through this migration:
class AddUseridToPost < ActiveRecord::Migration[5.0]
def change
add_column :posts, :user_id, :integer
end
end
as the error says, permit the user_id as follows
def post_params
params.require(:post).permit(:tittle, :body, :user_id)
end
Or, better approach is you generate a new post for the logged_in user as in post create:
def create
#post = current_user.posts.new(post_params)
# ...other logic
end
This way, you don't need to allow user_id also, it will ensure that the params are not tampered with..
If you add column in your model, you should add it to your permitted params. So add :user_id in your permitted params in posts_controller:
def post_params
params.require(:post).permit(:tittle, :body, :user_id)
end
In my app I originally created a User scaffold and then afterwards I created a Devise User model that simply added attributes to the User model, however in my user controller whenever I try to make the parameter "username" a permitted parameter, it still spits up the error "username is not a permitted parameter".
My user.rb
class User < ActiveRecord::Base
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :rememberable, :trackable, :validatable
belongs_to :role
def email_required?
false
end
def email_changed?
false
end
end
My User Controller
class UsersController < ApplicationController
before_filter :authenticate_user!
before_action :set_user, only: [:show, :edit, :update, :destroy]
# GET /users
# GET /users.json
def index
#users = User.all
end
# GET /users/1
# GET /users/1.json
def show
end
# GET /users/new
def new
#user = User.new
end
# GET /users/1/edit
def edit
end
# POST /users
# POST /users.json
def create
#user = User.new(user_params)
respond_to do |format|
if #user.save
format.html { redirect_to #user, notice: 'User was successfully created.' }
format.json { render :show, status: :created, location: #user }
else
format.html { render :new }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /users/1
# PATCH/PUT /users/1.json
def update
respond_to do |format|
if #user.update(user_params)
format.html { redirect_to #user, notice: 'User was successfully updated.' }
format.json { render :show, status: :ok, location: #user }
else
format.html { render :edit }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
#user.destroy
respond_to do |format|
format.html { redirect_to users_url, notice: 'User was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_user
#user = User.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def user_params
params.require(:user).permit(:role_id, :username, :password, :password_confirmation)
end
end
As you can see I've put the 'username' attribute into the strong params but it still isnt permitted. Any help is greatly appreciated, thanks!
try this in your application_controller.rb
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email, :password) }
end
documentation https://github.com/plataformatec/devise#strong-parameters
i've been starting to learn rails and ruby. Im coding and app that one user has many buys and sell. I've been doing all the tutorials and looking for many answers here in SOF but without success so this is my issue:
NoMethodError in SellsController#create
undefined method `sell' for #
Where my user is "usuario" in spanish.
I know im missing something in somewhere because i already do this with the buys and works good. These are my files
Usuario.rb (Model)
class Usuario < ActiveRecord::Base
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
has_many :sells
has_many :buys
end
There is the "Has_many"
Sell.rb (Model)
class Sell < ActiveRecord::Base
belongs_to :usuario
after_create :set_estado
private
def set_estado
self.estado = true
end
end
That method is because Im trying to set the "estado" (Status) as true.
Sells Controller
class SellsController < ApplicationController
before_action :set_sell, only: [:show, :edit, :update, :destroy]
before_action :authenticate_usuario!
# GET /sells
# GET /sells.json
def index
#sells = Sell.all
end
# GET /sells/1
# GET /sells/1.json
def show
end
# GET /sells/new
def new
#sell = Sell.new
end
# GET /sells/1/edit
def edit
end
# POST /sells
# POST /sells.json
def create
#sell = current_usuario.sell.new(sell_params)
respond_to do |format|
if #sell.save
format.html { redirect_to #sell, notice: 'La venta ha sido creada con exito' }
format.json { render :show, status: :created, location: #sell }
else
format.html { render :new }
format.json { render json: #sell.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /sells/1
# PATCH/PUT /sells/1.json
def update
respond_to do |format|
if #sell.update(sell_params)
format.html { redirect_to #sell, notice: 'La venta ha sido modificada con exito.' }
format.json { render :show, status: :ok, location: #sell }
else
format.html { render :edit }
format.json { render json: #sell.errors, status: :unprocessable_entity }
end
end
end
# DELETE /sells/1
# DELETE /sells/1.json
def destroy
#sell.destroy
respond_to do |format|
format.html { redirect_to sells_url, notice: 'La venta ha sido eliminada con exito.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_sell
#sell = Sell.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def sell_params
params.require(:sell).permit(:usuario_id, :fecha_compra, :peso_final, :monto, :estado, :cantidad)
end
end
Im using scaffolds and the gem devise for authenticate.
I don't know what im missing because i have almost the same thing in buys and it's working but for sells doesnt work :(
My Routes.db
Rails.application.routes.draw do
devise_for :usuarios
devise_for :users
resources :usuarios do
resources :buys
resources :sells
end
get 'welcome/index'
post 'welcome/index'
post 'users/index'
resources :buys
resources :users
resources :sells
end
This is my first app on rails so i dont know what i missing now. Im using devise,Rails 4.2.1 and postgre as database
If your association is a has_many, Rails will use the plural form of the model as the association name. So instead of
current_usario.sell.new
try:
current_usario.sells.build
If you only expect one Sell per user, use a has_one association instead.
P.S. You might consider using "sales" instead of "sells", and "purchases" instead of "buys".
Good afternoon,
I've done a scaffold of a class, here the example: User - At the moment I was executing the test I saw this bug:
Minitest::Assertion: "User.count" didn't change by 1.
Expected: 3
Actual: 2
test/controllers/users_controller_test.rb:20:in `block in <class:UsersControllerTest>'
the refering code of the bug is this one:
test "should create user" do
assert_difference('User.count') do
post :create, user: { name: 'test', password: 'secret', password_confirmation: 'secret' }
end
assert_redirected_to user_path(assigns(:user))
end
So the code above was created by the scaffold, I just change the name reference.
UserController:
class UsersController < ApplicationController
before_action :set_user, only: [:show, :edit, :update, :destroy, :reset_password]
# GET /users
# GET /users.json
def index
#users = super
end
# GET /users/1
# GET /users/1.json
def show
end
# GET /users/new
def new
#user = User.new
end
# GET /users/1/edit
def edit
end
# POST /users
# POST /users.json
def create
#user = User.new(user_params)
respond_to do |format|
if #user.save
format.html { redirect_to #user, notice: get_action_message }
format.json { render :show, status: :created, location: #user }
else
format.html { render :new }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /users/1
# PATCH/PUT /users/1.json
def update
#user.update(user_params)
respond_to do |format|
if #user.update(user_params)
format.html { redirect_to #user, notice: get_action_message }
format.json { render :show, status: :ok, location: #user }
else
format.html { render :edit }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
#user.destroy
respond_to do |format|
format.html { redirect_to users_url, notice: get_action_message }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_user
#user = User.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def user_params
params.require(:user).permit(:name, :password, :password_confirmation)
end
def search_params
super - ['password_digest']
end
def show_attributes
#show_attributes = super - ['password_digest']
end
end
UserModel
class User < ActiveRecord::Base
nilify_blanks
validates :name, presence: true, uniqueness: true;
has_secure_password
end
For what I was able to understand, the "create" it's not being executed. I've put the breakpoint on the Controller create but its not stoping there..
What am I doing wrong, besides my poor english skills?
Tks for the helping!!
Thks guys,
I found this bug.
I had forgotten to put in the user Session