I would like some advice on how could I ban a visitor, I created a board where you can post without having account and other user can report if you are abusing. After 50 report the post is deleted and the visitor should be ban (cannot post or comment anymore) with his IP address.
I took a look to the gem rack-attack but it doesn't seems to fit to my problem. If I understand well I have to add IP in the blocklist or allow2ban by myself and it's not what I'm looking for.
Also I was think about saving the Ip in a table like user_ban but I don't know how I could unban them automatically after few hours or days.
This is why I'm looking for advice or ideas.
Thank you
O.k. so based on what you said, I would recommend a before action in the application controller to just redirect out if the user's ip is in the banned list. Since IP is the only thing you are tracking it is the only thing we have to work with, which, as you mentioned, is not 100%, but it seems like it is the best we can do. In the code below banned_ip_list would include all your banned ips. since you do not specifically say what you would like to do to the banned user I left that open for you inside the method to fill in.
application_controller.rb
before_action :check_if_user_is_banned
...
private
def check_if_user_is_banned
if banned_ip_list.includes?(request.remote_ip)
# what do you want to do here? Keep redirecting to a page and display a message?
end
end
Related
i am using like
def to_param
"#{self.attr1}-#{self.attr2}"
end
and my urls look as I want to, though when I :edit,(editing) the url redirects/goes back to showing the :id.
Im letting guest users change some specific record without logging in sending them through a specific link and I want users to not be able to manually change the url or at least show them a large slug so they can't guess the id.
Thanks in advance for any help, theres many posts around this but can't find a solution to fit my needs.
credit to #Dipak for pointing me in the right direction.
I managed to do it with Friendly_ID gem,
though it gave me some trouble because i had some redirects before the actions and it didn't want to pick up the slugs.
I had my redirects as 'redirect_to mymodel_path'
I finally got it working passing 'redirect_to mymodel_path(mymodel)'
Thanks!
I might be approaching this problem the wrong way ... so if you have a more elegant solution I'm all ears.
Imagine I'm making a system like Kickstarter. I want my users to be able to specify how much they want to pledge before I ask them to sign up.
Then, if they're not registered I need them to sign up before putting them back in the flow that they would have been on had they just signed in. Devise makes this easy by redirecting a user back to the after_sign_up_path_for which ends up being after_sign_in_path_for by default.
So this will always issue a GET request. But if I have data that I received from the POST with the amount they wanted to pledge, but that's lost.
Is the only way to do this to store that posted data in the session? Or is there a clever way to start creating the pledge record without the user (without needing to run jobs to destroy orphaned pledge records)?
I found the approach described in this blog post over at highgroove.com quite interesting in this regard:
http://highgroove.com/articles/2012/10/09/lazy-user-registration-for-rails-apps.html
The basic idea is to always have an anonymous user at hand, even if the current vistor is not registered. Like this you can create e.g. associations as usual and — once the visitor actually does sign–up — you edit the user rather than all associated objects.
If the user does not ever register, you can simply look for abandoned user accounts and delete them including their associations, rather than look for all kind of abandoned models.
I have a very low traffic web site and I want to record the IP address of everyone who visits it.
I know Ruby geocoder can detect IP of whoever's making a request
request.ip # => "216.232.140.27"
However, I'm not sure how I can record this to a database or somehow store it so I can see it if someone just visits my website.
i.e my problem/mental blockage seems to be that I expect someone to click a button in order to trigger a method but I want the IP address stored by someone just visiting....
Can someone explain how I could write a method to store the IP address in a database (or somewhere other than a database such as the logs if that's better) if someone merely visits my site?
If I understand correctly what you need, then you dig in the wrong direction.
First, ip method is contained in a standard request, it is not relevant to the Geocoder: http://api.rubyonrails.org/classes/ActionDispatch/Request.html#method-i-ip
Second, much easier to install third-party statistics in order then keep track of all visitors (by ip or whatever you want). For example: http://www.google.com/analytics/
Hope this helps.
Would something like this work?
https://github.com/wvanbergen/request-log-analyzer/wiki/Creating-a-request-database
i have a question-answer survey..
Only one user can answer on survey! User cant click on previous button (in browser) and once again pass the survey. How i can possible do this? I need sessions and unique token? Please help me, i;m stuck with this...
If you have user-login, then you only need to validate whether they have already voted or not. This is really required to be 100% sure of no dup votes.
If not, you can't 100% guarantee dup votes, but you could make it difficult:
store in the session[:voted] = true
on receiving a vote submission don't accept if session[:voted] == true
Obviously the user can clear cookies which will clear your session.
You could enhance this by logging ip's but then consider proxy-servers (all users from behind the proxy will appear as coming from the same IP -- the proxy).
I you must enforce this then I imagine you'd require users to login and then you can store which surveys / survey sections they have already answered in your database.
Otherwise it's generally enough to prevent people from filling in surveys multiple times by storing their ip address in your system and also setting cookies on their browser based on which sections they have already completed. They can get around this by clearing their cookies but at least if you store their ip address they'd need to change ip to redo the survey.
It's hard to say without knowing the context of the survey. Is it on an existing app where users already have accounts? Is it standalone etc.
Thnanks guys for respons.
I thought about this (user-login), but i want to without it.. so i give link address, user get it, click on this address.. like www.blabalbla.com/test/survey/32643928569832569 (unique token).. and user can pass survey.. then when he finished he cant pass this survey again on this link.
Is there any way to limit a user's login access to only, say, 5 IP addresses daily? Such that if a user account tried to login in the same day from a 6th different IP address, they would be denied. I would like this restriction to reset at the end of the day, however.
If Authlogic doesn't provide a way to track this out of the box, what ideas do you have about how I should implement this? As you can probably tell, I'm already using Authlogic for authentication.
My main goal is to limit my user's ability to share their login with a non-registered user; I know that most people's IP address will change periodically throughout the day because hardly anyone has a personal static IP, but I think 5 is a fair number of allowances, even taking into account that a user may visit my site on their iPhone, or at Starbucks, etc.
Thoughts?
UPDATE: After reading through many of the comments on the link provided by #tadman, I'm thinking that it might be more useful to limit the number of new sessions created on a machine that had none previously instead of by IP address. If I understand how Authlogic works, sessions are a combination of server-side records and a cookie in the user's browser, correct? If I "log out" of my site, the cookie is still there in my browser, is it not? Just with an expired value or something like that. Can I test against that? Such that if a computer that doesn't have that cookie at all I would consider to be a completely NEW login, and I would limit the number of new logins to 5 a day? Would that be feasible approach?
See this user's comments about rate limiting by IP for an angle on what I mean: http://simonwillison.net/2009/Jan/7/ratelimitcache/#c43031
Although you can track this in a database, a more lightweight solution is to track this using Memcached. This allows you to do other things, like limiting login rates and restricting the number of unique IPs a person may visit from over the course of a given time.
The nice thing about Memcached is it will automatically expire records after a specified period of time. With the database-driven approach you will have to do this yourself.
Example: http://simonwillison.net/2009/Jan/7/ratelimitcache/
I'd probably create a table called sessions, which contains ip_address, logged_in_at, user_id. You'd do something like this when a user logs in:
session = current_user.sessions.build(:ip_address => ip_address)
if session.valid?
session.save!
redirect_to root_url
else
redirect_to you_cant_login_url
end
In your session.rb, you'd have
class Session < AR:B
belongs_to :user
validate :hasnt_logged_in_a_bunch
protected
def hasnt_logged_in_a_bunch
if self.user.sessions.count(:conditions => ['logged_in_at > ?', Time.now.start_of_day]) > 5
self.errors.add_to_base("You've logged in too many times")
end
end
Sorry if this is a bit ugly and isn't valid code, but it should hopefully point you in the right direction.