Override SessionsController to refuse access based on user attribute - ruby-on-rails

I have a rails 4 project, where I'm using DeviseTokenAuth.
Everything works fine, but I'd like to refuse access to user with a specific status.
So basically
if user.status == :locked => Account :unauthorized
So this is what I've done so far
class SessionsController < DeviseTokenAuth::SessionsController
def new
super
end
def create
super
render json: { error: "Account is locked MOFO " }, status: :unauthorized if current_user.status.to_sym == :locked
end
end
But when I do that I get :
AbstractController::DoubleRenderError - Render and/or redirect were called multiple times in this action. Please notethat you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...) and return".:
Any idea ?
thanks

This error happens because double render methods are called from sessions controller create method. One option is to override render_create_success method to get the desired result.
class SessionsController < DeviseTokenAuth::SessionsController
protected
def render_create_success
if current_user.status.to_sym == :locked
render json: { error: "Account is locked MOFO " }, status: :unauthorized
else
super
end
end
end

Related

Following code still works after error render

I have a concern module as below
concerns/onboarding.rb
module Onboarding
def status(onboard, params)
if onboard.finished? && params[:process].present?
render json: { error: 'You have already finished.' }, status: :not_implemented
end
end
end
I am using it below
module MyAccount::User
class OnboardingsController < ApplicationController
include Onboarding
def update
status(current_kyc, params)
current_kyc.update!(wizard_params)
end
private
def current_kyc
#wizard ||= current_user.onboardings.where(company_id: current_company.id).last
end
def wizard_params
params.require(:onboarding).permit(:step, :finished)
end
end
end
This issue is, after render json: { error: 'You have already finished.' }, status: :not_implemented, current_kyc.update!(wizard_params) is still executed. I don't know what the issue but current_kyc.update!(wizard_params) shouldn’t be implemented if render json: { error: 'You have already finished.' }, status: :not_implemented is executed.
Calling render doesn't return or stop execution of a controller method. It only sets what should happen after the method call.
You can use performed? to check if the render method was already called, like this:
def update
status(current_kyc, params)
current_kyc.update!(wizard_params) unless performed?
end
But I am not really sure if this improves readability and makes it easier to understand what is actually going on in the controller.

Rails action params[:user] not provided how return error

I am working on a project where I want ensure that if request does not have user params it should send error, so I used following method in controller
class UsersController < ApplicationController
before_action :check_params
private
def user_params
params.require(:user).permit(:email, :password)
end
def check_params
render json: { error: 'No user params provided' }, status: 401 unless params[:user]
end
end
It is working fine but I have to put on each individual controller, is there way I can add it in Application for all controllers! as only params[:user] changing, so if I have params[:company] I have to add another method in CompaniesController with params[:company] which is not really dry. I am surprise when we use params.require(:user) why it gives errors instead return validation error.
I look like you want to rescue from ActionController::ParameterMissing with a custom error message. The Rails way to do that is the rescue_from method.
Add the following to your controller:
rescue_from 'ActionController::ParameterMissing' do |exception|
render json: { error: 'No user params provided' }, status: 401
end
Well instead of creating this whole method you can do just check before where your action is checking params[:user] and reject on single line like following
#user = User.find_by_email(params[:user][:email]) if params[:user]
Now it won't search for your params[:user]
You can move common logic into a method in the base class, then derived classes can pass own "changeable" variables to it or ignore a method
class ApplicationController
def check_params(name, error_message)
render json: { error: error_message }, status: 400 if params[name].nil?
end
end
Usage
class UsersController < ApplicationController
before_action -> { check_params(:user, "User is missing") }
end

DRY concepts in rails controllers

I'm working on my first rails api server.
I've got a controller for my User model that looks as such:
class UsersController < ApplicationController
def index
if current_user.admin?
#users = User.all
render json: #users
else
render json: { message: 'You do not have the appropriate permissions to access this resource' }, status: 401
end
end
def show
if User.exists?(#id)
#id = params[:id]
if current_user.id.to_s == #id || current_user.admin?
#user = User.find(#id)
render json: #user
else
render json: { message: 'You do not have the appropriate permissions to access this resource' }, status: 401
end
else
render json: { message: 'Requested resource not found' }, status: 404
end
end
end
What I want and currently have for these two controller methods is:
/users fetch all users only if the authenticated user making the request is of role admin
/users/:id fetch a user by id only if the authenticated user making the request has a matching id or is of role admin
The current implementation breaks the DRY philosophy. The reasoning is that the logic for handling whether or not the requesting user has the permissions to access the requested resource(s) is repeated across both controller methods. Furthermore, any model's controller method for show will repeat the logic for checking whether or not the requested resource exists. I also feel like this kind of implementation makes for fat controllers, where I'd rather them be skinny.
What I want to know from the community and from those that have solved this problem before; what is the best way to go about this in order to conform to the DRY philosophy and to keep controllers skinny.
Good to know: I'm using devise and devise-token-auth for authentication.
You need to use some kind of Authorization gem like cancancan. It is exactly what you need. Also it's else not elsif. elsif is followed by condition.
You can use github.com/varvet/pundit instead, for authorization.
It matches with the controller, instead of putting the authorization in the controller, you can use this to move out the authorization to another class.
I have used this across multiple Rails/Rails-API projects and didn't encounter a problem so far.
Instead of writing the code above. You can do this instead.
Also, prioritize early returns over nested ifs for readability.
In your controller.
class UsersController < ApplicationController
def index
authorize User # This will call the policy that matches this controller since this is UsersController it will call `UserPolicy`
#users = User.all
render :json => #users
end
def show
#user = User.find_by :id => params[:id] # Instead of using exists which query the data from db then finding it again, you can use find_by which will return nil if no records found.
if #user.blank?
return render :json => {:message => 'User not found.'}, :status => 404
end
authorize #user # This will call the policy that matches this controller since this is UsersController it will call `UserPolicy`
render :json => #user
end
end
In your Policy
class UserPolicy < ApplicationPolicy
def index?
#user.admin? # The policy is called in controller then this will check if the user is admin if not it will raise Pundit::NotAuthorizedError
end
def show?
#user.admin? || #record == #user # The policy is called in controller then this will check if the user is admin or the user is the same as the record he is accessing if not it will raise Pundit::NotAuthorizedError
end
end
In your ApplicationController
class ApplicationController < ActionController::API
include Pundit
rescue_from Pundit::NotAuthorizedError, :with => :show_forbidden
private
def show_forbidden exception
return render :json => {
:message => 'You are not authorized to perform this action.'
}, :status => 403
end
end

Refactoring multiple render in controller

In my rails controller, I have to check after getting #group with before_action that this group is not system.
But I have lot's of repetition in my controller. I've tried to turn into a separate method but I get the classic :
Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...) and return".
Here is a part of my code without the separate method who give me the error.
def destroy
if #group.is_system?
render json: { errors: 'You can\'t delete a group system' }, status: 403
return
end
...
end
def update
if params[:group] && !params[:group].empty?
if #group.is_system?
render json: { errors: 'You can\'t edit a group system' }, status: 403
return
end
...
else
render json: { errors: 'Missing correct parameters' }, status: :unprocessable_entity
end
end
.....
You could have in a parent controller:
def render_errors(errors, status)
render json: { errors: Array(errors) }, status: status
end
def render_403(errors)
render_errors(errors, 403)
end
def render_422(errors)
render_errors(errors, 422)
end
then in your action:
before_action :check_system
def check_system
# I assume you already defined #group
render_403('You can\'t delete a group system') if #group.is_system?
end
Notice I changed a bit of your code: having errors key which is only a string is very misleading, should be an array.

How to properly validate a user before displaying page in Rails

In my application, I store the user's ID in session[]. At the beginning of every controller action, I'm calling a method defined in the ApplicationController called current_user:
def current_user
#current_user ||= session[:current_user_id] &&
User.find_by_id(session[:current_user_id])
end
At the beginning of my controllers' methods, I have the following:
#current_user = current_user
if #current_user == nil
redirect_to :home
return
end
This is obviously repetitive code and should be a method somewhere. I read the answer for this question, and tried putting my method into a parent class that my controller classes now descend from, however it seems like I can't redirect from that method now.
In my parent class, I have:
def verify_user
user = current_user
if user == nil
redirect_to "/"
return
end
return user
end
And now I've changed my controller methods to this:
#current_user = verify_user
This doesn't work, and I think I know why. For one, I can't simply call return in my verify_user method, as that obviously will just return to the controller. The redirect doesn't seem to have any affect, probably because format.html is being called after the redirect call, which was the reason for the return in the original code.
So, what am I doing wrong here, and what suggestion do you have to solve it? Is this the wrong approach? My main goal is to keep the entire "check if user is logged in otherwise redirect" to one line of code per controller method.
Take a look at the devise gem https://github.com/plataformatec/devise. It handles a lot of this basic user authentication logic for you. This specific problem can we solved by adding before_filter :authenticate_user! to the controllers or actions that need to be guarded.
Add the following logic to the ApplicationController class:
class ApplicationController < ActionController::Base
def current_user
...
end
def logged_in?
current_user.present?
end
def require_user
return true if logged_in?
render_error_message("You must be logged in to access this page",
new_user_session_url)
return false
end
def render_message message
respond_to do |format|
format.html {
if request.xhr?
render(:text => message, :status => :unprocessable_entity)
else
redirect_to(root_url, :notice => message)
end
}
format.json { render :json => message, :status => :unprocessable_entity }
format.xml { render :xml => message, :status => :unprocessable_entity }
end
end
end
Now add a before_filter to your controller:
class OrdersController < ApplicationController
before_filter :require_user
end

Resources