I need to attach a filter to a model when the user is adding a new entry via the admin page, similar to the way that there is a filter for permissions on the add group page of the admin page. From what I have researched it seems like I need to use a formfield_for_ … method, but I cant seem to be able to make that work
Related
I'm currently working on a rails app where I have two model classes, Account and User. I want to allow users to link their User with account information from other places.
What I want the user to be able to do is, under my edit user form, I have a list displaying the names of all linked accounts, and a text input for them to add more.
All I want them to do is fill in one field (account name) and hit a button, and the back end will hit a restful API for that account name, pull back relevant info, and populate an Account model object, linking to the current user.
For example, from the user page I would like the user to be able to type in their twitter handle, and in the back end I'd look up that twitter account id and associate it with that User in my database.
Where is the right place to have a hook so that I can take an input (twitter handle), fire off a helper method that populates a Account object, and then link that to my current user?
I'm not sure I understood exactly what you were asking but I'll try my best : If your account 'belongs_to' your User model, it would seem logical to use the create or update method (depending on your standard case) of your Accounts controller, to retrieve a JSON with the accounts datas, and that the client parse this answer (with some JS).
I tried to find this on google but can't seem to find anything on this. I have a model called Likes, along with a controller which simply belongs to an Event and a User. I would like to prevent people from creating a Like when they're not logged in, and not allow them to create a like for another user. What is the proper way to do this?
Thank you
When you have a user based system, all queries related to user-owned data need to include the user, or originate from it. Most authentication systems have a helper to get the current user, often called current_user.
Assuming some things about your model, for "liking" an event, you could do it a couple ways:
current_user.likes.create(event_id: params[:event_id])
Like.create(event_id: params[:event_id], user: current_user)
Validations can help as well, making sure event and user IDs are always present. If no user is logged in, this should make it fail, assuming someone guessed the path to try and manually create a like.
I am currently doing a project for uploading pics. There are users, albums, and pics. I added a friendship model so that people can friend each other like a social network. However, I noticed that I put a lot of <% if current_user.friends.include?(#user) %> in the view to check if the user of the page I'm showing is a friend of the logged in client, and therefore allowing them to have certain privileges and forms and etc.. Is there a better way or place to do this than to pollute my views with if/else statements ? Also, I don't feel like my method is very secure since someone could always manually enter the url and mess with info that they're not supposed to.
You want an authorization framework such as CanCan.
In an ability file, you configure it that a user can, say, view something or edit some other thing, only if the user is a friend of the owner. Then in the view or the controller, you can just check that the user is authorized to do the appropriate action.
For specific details about setting up an ability based on details of the models (i.e. whether the owner is a friend of the current user), go to this documentation and look for "Hash of Conditions".
Consider using something like the mosaic-access gem, which allows you to white/blacklist controllers and specific actions for the currently logged in user.
I am new to rails and I am currently in the process of developing a check list app. I would greatly appreciate some guidance as I am currently suck in my development process and would just like some help getting me on my way.
Goal:
Admins will have the privileges to add collections, and add products to those specific collections - (all will be pre-populated and defined before the site goes live).
Users should arrive at the homepage, be presented with a splash page of what the page is and be able to sign in/ up. Once signed in the user should be directed to their profile page.
a.) first time there, they should be presented with a list of collections they want to 'follow" / "watch" (that show up on their profile page to track the products they are missing from the entire collection)
b.) second time there, they should be presented with the collections they are watching, and the all products in that collection.
Once on their profile page, they should be able to "check" and "uncheck" products in the collection. I want to show all the products in the collection regardless if they have them or not, and they can check the ones they have, and I will do some fancy front side stuff to make it visually appealing. (fade from black / color - on true/false value - animate all selected ones to front of container..ect)
What I have:
I have a Collection(has_many) -> Products(belongs_to) association models set up. I have both of the controllers CRUIDified, and the product page is CRUIDified through association with collection. (nested routes / #collection.products.build etc.)
I have a generated Devise User model with email confirmation. I gave that model a User(has_many) -> Collections(belongs_to) association.
My next steps?
I am trying to assign a user to a profile page that I can display the results of the their collections/products. I am stuck as to how to achieve this. Do I need to create a user controller and put a before_filter :authenticate_user! and limit the actions I don't want accessible by normal users? Or do I need to generate a new Model Profile, and put an association there?
If you would like to see my current code it can be found here:
https://github.com/gogogarrett/Blind-Boxd
Thanks in advance,
Garrett
If you want to have a page for signed in users to see their collections and products, you don't necessarily need that to be in a User Controller.
I have put my user overview pages in a pages_controller. You then have a before filter of :authenticate_user!, and you just pass whatever you need into the view (#collections = current_user.collections).
It doesn't sound like you need a new model.
So let's say I have an eBay-type application where only the seller can edit his/her listing. How do I go about restricting access to the Edit action based on the Id of the item we're editing and the currently logged in user?
As far as I can tell, the Authorize attribute only allows you to restrict access to controller actions based on whether the user is authenticated or not and their role. Is this simply something that I need to handle manually within the controller?
A custom attribute deriving from IAuthorizeFilter.
This looks like a pretty good example of controlling actions based on users and roles.
http://www.coderjournal.com/2008/03/securing-mvc-controller-actions/
I'm brand-spanking new at MVC though, so I could be wrong. Check it out and let us know if it helped.