I have a devise model called user. When a user signs up, they will be directed to fill out form called "userinfo". I have a model called userinfo. As soon as a new userinfo is created, I give each userinfo a unique token. I permit "token" in my userinfo controller. It works, but everytime I edit the form and update, the unique token changes too. I was thinking I should only show the first created token on the userinfo#show page. But if a user updates their userinfo form 5 times, 5 tokens will be created and 4 will be wasted.
So actual problem: Create unique token when userinfo#new happens and show it on the userinfo#show page. Unique token should not be updated when userinfo#edit and userinfo#update happens.
My userinfo model:
class Userinfo < ActiveRecord::Base
belongs_to :user
before_save :set_token
def set_token
self.token = rand(100000..999999)
end
end
Userinfo controller:
class UserinfosController < ApplicationController
before_action :find_userinfo, only: [:show, :edit, :update, :destroy, :log_impression]
before_action :authenticate_user!
def index
#userinfors = Userinfo.search(params[:search])
end
def show
end
def new
#userinformation = current_user.build_userinfo
end
def create
#userinformation = current_user.build_userinfo(userinfo_params)
if #userinformation.save
redirect_to userinfo_path(#userinformation)
else
render 'new'
end
end
def edit
end
def update
if #userinformation.update(userinfo_params)
redirect_to userinfo_path(#userinformation)
else
render 'edit'
end
end
def destroy
#userinformation.destroy
redirect_to root_path
end
private
def userinfo_params
params.require(:userinfo).permit(:name, :email, :college, :gpa, :major, :token, :skills, :user_img)
end
def find_userinfo
#userinformation = Userinfo.friendly.find(params[:id])
end
end
View:
<%= #userinformation.token %>
Try something like this:
def set_token
self.token ||= rand(100000..999999)
end
The ||= says, "set token to a random number unless token already has a value" (roughly).
BTW, in response to the comments below and on your original question, it is true that using:
rand(100000..999999)
is not such a good idea. Two problems were identified:
There is a chance that the generated number will not be unique, and
The probability that you attempt to assign non-unique numbers increases with the number of users and goes to 100% once you have 999,999 users.
As mentioned in the comments, using SecureRandom.uuid is a good thing if you don't mind the format of the UUID which is something like this:
ad9ed387-ec8e-4091-84b1-fe2ce2bbfcd4
In which case you would do something like:
def set_token
self.token ||= SecureRandom.uuid
end
This is, by the way, what I do in my code.
With SecureRandom.uuid, the probability that you will generate duplicate tokens is vanishingly small. However, if you are worried about that very small chance, you could also enforce uniqueness at the DB level and in your model. Those are separate questions that you may want to post if you are interested in the answers.
Related
I'm sure this is an obvious question but I just don't understand why this isn't working.
I'm finding that my static pages defined in the routes.rb file don't seem to have access to cookies? Is that correct? I'm trying to read the value of a cookie but the pages below seem to return a null object.
My routes.rb contains the following:
scope controller: :static do
get :about
get :terms
get :privacy
get :cookies
get :returns
get :delivery
end
For completeness here is the Static Controller:
# frozen_string_literal: true
class StaticController < ApplicationController
before_action :find_order
def index; end
def about; end
def pricing
redirect_to root_path, alert: t('.no_plans') unless Plan.without_free.exists?
end
def terms; end
def privacy; end
def cookies; end
def returns; end
def delivery; end
end
And this is how the cookie is set:
class OrdersController < ApplicationController
before_action :find_order
def add_hamper
#order ||= Order.create!(
ordernum: find_next_order_number,
user: current_user,
basket: true
)
#order.hampers << Hamper.friendly.find(params[:id])
update_order_total(#order)
if current_user&.custaddress
#order.update(custaddress: current_user.custaddress)
else
cookies[:ordernum] = #order.ordernum
end
redirect_to order_path(#order.ordernum)
# Update basket in Navbar
# Save the information as a cookie reference if they are not signed in
end
At the start of each controller I have a before_action to find an order if it exists in the DB or Cookie. For all other controllers, the find_order method is working. For the StaticController, there seems to be no access to the cookies.
Here is my find_order as defined in ApplicationController:
def find_order
#order = if current_user
Order.where(
user: current_user,
basket: true
).first
else
if cookies.dig[:ordernum]
Order.where(
ordernum: cookies[:ordernum],
basket: true
).first
end
end
end
helper_method :find_order
I've had to add the check for cookies and then if cookies[:ordernum] to stop it from failing on the static pages.
Thanks for any help with this.
PS. If anyone feels the above code could be better ... please let me know! There must be a nicer way to achieve this. It feels a little clunky.
So currently im trying to make an app where each user has its own todo list with its own index page, which means, everybody is able to visit the user page to see each tasks of the user.
I use devise and created a simple model with a user reference:
rails g model Todo title:string completed:boolean user:references
added of course belongs_to / has_many to todo.rb/user.rb
Now since i want each todo index page to be assiociated with the users todos, i've created a nested resource like so:
resources :users do
resources :todos
end
visiting
http://localhost:3000/users/1/todos/
works fine and shows the index page.
Heres the problem: when i change the number after /users/ to, for example, 2, its still working, even though there is no user with the id of 2.
Any ideas how i can make this dynamic, so that the integer after /users/ represents the user_id? Thought i did it right but i guess im missing something. Thanks in advance!
EDIT:
as requested, TodosController.rb:
class TodosController < ApplicationController
def index
#todos = Todo.all
end
def new
end
def show
#todo = Todo.find(params[:id])
#user = #todo.user
end
def update
end
def edit
end
end
Let look at your index action:
def index
#todos = Todo.all
end
It displays all todos always, because it doesn't know anything about the user.
It should be:
def index
#user = User.find(params[:user_id])
#todos = #user.todos
end
And in the show action you have to find the user at first, in this case you're sure, that the requested todo belongs to the requested user
def show
#user = User.find(params[:user_id])
#todo = #user.todos.find(params[:id])
end
You can refactor out #user = User.find(params[:user_id]) to the before_action callback, because you'll use it in all actions
Using Rails 3.2. I am trying to secure my app by checking user permission on all crud actions. Here is one of the examples:
class StatesController < ApplicationController
def create
#country = Country.find(params[:country_id])
if can_edit(#country)
#state.save
else
redirect_to country_path
end
end
def destroy
#country = Country.find(params[:country_id])
if can_edit(#country)
#state = State.find(params[:id])
#state.destroy
else
redirect_to country_path
end
end
end
class ApplicationController < ActionController::Base
def is_owner?(object)
current_user == object.user
end
def can_edit?(object)
if logged_in?
is_owner?(object) || current_user.admin?
end
end
end
I notice that I have been wrapping can_edit? in many controllers. Is there a DRYer way to do this?
Note: All must include an object to check if the logged in user is the owner.
You are looking for an authorization library. You should look at CanCan which allows you to set certain rules about which objects can be accessed by particular users or groups of users.
It has a method, load_and_authorize_resource, which you can call in a given controller. So your statues controller would look like:
class StatesController < ApplicationController
load_and_authorize_resource :country
def create
#state.save
end
def destroy
#state = State.find(params[:id])
#state.destroy
end
end
CanCan will first load the country and determine whether or not the user has the right to view this resource. If not, it will raise an error (which you can rescue in that controller or ApplicationController to return an appropriate response".) You can then access #country in any controller action knowing that the user has the right to do so.
I'm setting up a simple survey on my web page.
I want to add a before_filter so that the same person can't take the survey more than once.
My idea is to
1) create and save a remember_token to each survey when it is submitted.
2) create a cookie based on that remember token to be placed on the submitter's browser
3) Every time some visits the page, use a before filter to make sure they don't have a cookie that matches a survey in the database.
I put together the below, but for some reason, it automatically redirects to the thanks_path, regardless of whether I have a remember token?
Why does it do this? Am I using the session cookie incorrectly?
My surveys_controller is as below
before_filter :new_visitor, only: [:new, :create]
def new
#this is the survey form
#survey = Survey.new
end
def create
#this submits the survey and creates a cookie on the client's browser
#survey = Survey.new(params[:survey])
if #survey.save
cookies.permanent[:remember_token] = #survey.remember_token
redirect_to thanks_path
else
render action: "new"
end
end
def thanks
#blank page that just says, "thanks for taking the survey!"
end
def new_visitor
# if a browser has a survey cookie, redirect to thanks page
unless Survey.find_by_remember_token(cookies[:remember_token]).nil?
redirect_to thanks_path
end
end
I am creating the remember token in my Survey model.
class Survey < ActiveRecord::Base
before_save :create_remember_token
def create_remember_token
self.remember_token = SecureRandom.urlsafe_base64
end
end
I think you need to test for the existence of the cookie[:remember_token] before using it as an argument to find_by_remember_token(). Only if cookies[:remember_token] is not nil and a record is found do you redirect to the thanks_page.
if cookies[:remember_token] && Survey.find_by_remember_token(cookies[:remember_token])
redirect_to thanks_page
end
unless Survey.find_by_remember_token(cookies[:remember_token]).nil?
this means if Survey not nil then redirect, i think you need to change to
unless Survey.find_by_remember_token(cookies[:remember_token])
or
if Survey.find_by_remember_token(cookies[:remember_token]).nil?
I have 3 tables
items (columns are: name , type)
history(columns are: date, username, item_id)
user(username, password)
When a user say "ABC" logs in and creates a new item, a history record gets created with the following after_create filter.
How to assign this username ‘ABC’ to the username field in history table through this filter.
class Item < ActiveRecord::Base
has_many :histories
after_create :update_history
def update_history
histories.create(:date=>Time.now, username=> ?)
end
end
My login method in session_controller
def login
if request.post?
user=User.authenticate(params[:username])
if user
session[:user_id] =user.id
redirect_to( :action=>'home')
flash[:message] = "Successfully logged in "
else
flash[:notice] = "Incorrect user/password combination"
redirect_to(:action=>"login")
end
end
end
I am not using any authentication plugin. I would appreciate if someone could tell me how to achieve this without using plugin(like userstamp etc.) if possible.
Rails 5
Declare a module
module Current
thread_mattr_accessor :user
end
Assign the current user
class ApplicationController < ActionController::Base
around_action :set_current_user
def set_current_user
Current.user = current_user
yield
ensure
# to address the thread variable leak issues in Puma/Thin webserver
Current.user = nil
end
end
Now you can refer to the current user as Current.user
Documentation about thread_mattr_accessor
Rails 3,4
It is not a common practice to access the current_user within a model. That being said, here is a solution:
class User < ActiveRecord::Base
def self.current
Thread.current[:current_user]
end
def self.current=(usr)
Thread.current[:current_user] = usr
end
end
Set the current_user attribute in a around_filter of ApplicationController.
class ApplicationController < ActionController::Base
around_filter :set_current_user
def set_current_user
User.current = User.find_by_id(session[:user_id])
yield
ensure
# to address the thread variable leak issues in Puma/Thin webserver
User.current = nil
end
end
Set the current_user after successful authentication:
def login
if User.current=User.authenticate(params[:username], params[:password])
session[:user_id] = User.current.id
flash[:message] = "Successfully logged in "
redirect_to( :action=>'home')
else
flash[:notice] = "Incorrect user/password combination"
redirect_to(:action=>"login")
end
end
Finally, refer to the current_user in update_history of Item.
class Item < ActiveRecord::Base
has_many :histories
after_create :update_history
def update_history
histories.create(:date=>Time.now, :username=> User.current.username)
end
end
The Controller should tell the model instance
Working with the database is the model's job. Handling web requests, including knowing the user for the current request, is the controller's job.
Therefore, if a model instance needs to know the current user, a controller should tell it.
def create
#item = Item.new
#item.current_user = current_user # or whatever your controller method is
...
end
This assumes that Item has an attr_accessor for current_user.
The Rails 5.2 approach for having global access to the user and other attributes is CurrentAttributes.
If the user creates an item, shouldn't the item have a belongs_to :user clause? This would allow you in your after_update to do
History.create :username => self.user.username
You could write an around_filter in ApplicationController
around_filter :apply_scope
def apply_scope
Document.where(:user_id => current_user.id).scoping do
yield
end
This can be done easily in few steps by implementing Thread.
Step 1:
class User < ApplicationRecord
def self.current
Thread.current[:user]
end
def self.current=(user)
Thread.current[:user] = user
end
end
Step 2:
class ApplicationController < ActionController::Base
before_filter :set_current_user
def set_current_user
User.current = current_user
end
end
Now you can easily get current user as User.current
The Thread trick isn't threadsafe, ironically.
My solution was to walk the stack backwards looking for a frame that responds to current_user. If none is found it returns nil. Example:
def find_current_user
(1..Kernel.caller.length).each do |n|
RubyVM::DebugInspector.open do |i|
current_user = eval "current_user rescue nil", i.frame_binding(n)
return current_user unless current_user.nil?
end
end
return nil
end
It could be made more robust by confirming the expected return type, and possibly by confirming owner of the frame is a type of controller...