Multiple users authenticating and authorizing - ruby-on-rails

I am a bit confused with Authorizing and Authenticating at the moment.
First I need to tell you about my project. It will have two main models: Users and Pros. Users are people requesting a service. Pros are people offering services. Pros can have very different jobs and thus very different type of data stored in my project. I plan to have different models for different types of jobs held by the Pros (photographers, wedding planners..). Those models will have relationships and "own" different other models (images added with paperclip, links to websites...).
I guess I need to use gems for both Authentication and Authorizing (I have Devise and Pundit in mind)
now my questions:
I would like to have all Users and Pros login through the same form.
I guess this is very a Devise thing. Though after having read a bit about Devise, it seems there is a login for each of the Models. but this thread mentions Devise "groups"
https://gorails.com/forum/devise-with-multiple-user-models-with-single-login-form
Will it definitely solve my problem of a single form login ?
I would like to have each of the Pros submodels show a preview of their records to any type of users or even guests. But when a Pro is logged in they can access to an extended profile view with more information (all personnal data that can be changed, price requests from users, etc...). Can you confirm this is Pundit job here ?

Pundit is the perfect choice for achieving your second point. You can limit certain actions (such as edit/update) to be achievable only by the Pro who owns the account. The code for those actions in the ProPolicy would look something like:
def edit?
update?
end
def update?
record.pro == user
end
In terms of your question about multiple user model authentication using Devise, can you explain why you are set on having just one login form for both users? You could have a dropdown on the login button where the user can select if he is a normal User or a Pro. Or you could even have a checkbox/select on the form where they select which type of login they want to use.
If not, then you will somehow have to check your database to see if the login exists in either the Pro or User tables. However, I suppose that would mean that you cannot have both a Pro and a User account using the same email.

Related

User settings and access control in rails

I have a webapp build with rails. Nothing complicated so far. Now I would like to restrict some areas for the user. I would like to implement two roles, User and Admin. Clearly the admin can do much more, like use DELETE in some of the controller methods. But there is even more. The user should be able to set some settings. For example he can set his profile to private, so only his friends can see his content. I am not sure how to build all of this with rails.
I did some research and found those two:
https://github.com/elabs/pundit
https://github.com/ledermann/rails-settings
Maybe a combination of those two would get me to the way I want the app to be?
If the app is going to be used used by real users i would go for the devise gem(https://github.com/plataformatec/devise) It allows user to create accounts, retrieve lost passwords etc. By default it allows users to edit their "profile"(rather their personal data), it should be easy to add a checkbox to toggle public/private profiles.
In conjunction with cancancan(https://github.com/CanCanCommunity/cancancan) you can assign roles to users, without having two different classes(Users and Admins for example).

Creating and Managing Users and Profile Models in Rails

I know there are multiple threads concerning this topic and having read them I still can't figure out the best approach for my situation. I have a Users model and I am using Devise for authentication. I am using quite a few Devise Modules which have added about 20 columns to my Users model. What I am thinking of doing is to add a separate Profile Model which will have about 18 columns.
The issue is that after sign up, the Devise Confirmable module redirects him to the HOME page and sends a confirmation link to his email. Once he confirms he is taken to the User Show page which is supposed to display his profile information.
I want to ensure that the User fills in his profile information before he is able to do anything on the site. All the Profile fields (About 18 of them) are mandatory and critical from an authorization standpoint and dictate what he can and cannot do. I am not sure how to go about this?
1) Should I just have a User model (this will mean 40 columns in Users table) and create a multi-step form?
2) Should I have a user model and a profile model?
3) If so, how can I make the user fill in his profile information before he confirms his account or right after?
4) Do I need a profile controller as well? I don't know where to begin!
Actually its very simple. You can have different models for user and profile. You need to have some mechanism for flagging if the user has filled his profile information(something like user.profile.nil?). Now you just need to create a before filter method which will redirect the user to create profile page if he does n't have one.

Two different logins and usernames from the same table

I need two kinds login if they refer to different controllers, example:
site.com/consumers
site.com/panel
site.com/consumers login is to make comments and site.com/panel is for the administrative part of advertisers and users.
I'm all consumers and advertisers in the same table users in the database.
Could anyone help me to make two logins do validation on the same table and after login, sends to different views and controllers?
In my route I was trying to use:
devise_for :panel, :class_name => "User"
But the layout of the login is the same, and would need to be different.
== UPDATE ==
I have three classes of people.
1) Consumer
2) advertiser
3) Administrator
The records are in the same table. But each record has a column "type" arrow you like (consumer, advertiser or administrator) So far I've managed to solve.
The problem is this:
When the user accesses via: www.site.com/comment
This user can login to make a comment on the site.
When the user accesses via: www.site.com/panel
This user can login to access the panel from him, he may be, (consumer, advertiser or administrator).
I would like to make two types of logins, one for / comment with the layout of the site and one for the / panel with the panel layout, but doing validation on the same table, in this case (Users).
Your question is a little hard to understand. It looks like your using devise. I am not sure if you are trying to use two different models, and have two different kinds of devise users, perhapse with different permissions? Or if you are trying to direct people to different pages depending on who they are after they login?
I would recommend you checkout after_sign_in_path in devise. You can define it in your application controller. If you are trying to send someone back to a different section of the site depending on where they signed in you could set a session variable and then use it in that function to decide where to send someone.
If you rewrite your question I will try and give a better answer.

Best approach to a customer portal in ASP.NET MVC

The problem: client needs a website to serve 10+ customers, each customer has 5-10 people they wish to grant access using login & user name, once "logged in" the user can download files specific to their company.
The files will be uploaded to a directory under the customer name, and displayed as a list. Currently using membership for all of the users, it's just the "by customer" segmentation I'm wondering about. the question being under ASP.NET MVC what is the cleanest or simplest approach to solving the customer segmentation, trying to avoid customer membership provider so was going to use the roles to assign customer group.
Thoughts appreciated.
In the past I tried to avoid the membership and role providers as well since I don't like the way they are implemented. So just use the old school way. Create two tables on your db, one stores the customers the other the users.
Just build a simple relationship like: User n ----- 1 Customer
Now if a user logs in first authenticate him/her against the User table, then authorize on the Customer table.
The provide the right downloads, just create an additional table File, which has a n:1 relationship to the Customer table (like the User table).

Securing web application on the data access level

Please consider the following setup:
Multi-tenant webapp.
Tenants create company accounts and company accounts have user accounts under them.
Users have roles, there's a special role "Owner" (the user who created the company account).
I'd like to have users to edit other user accounts (some admin tasks), but two conditions must be met:
Noone may edit owner's data (except for owner, when he's editing his own profile, and own profile editing is the same user editing).
Users may access user data and edit users only within their company account.
The app uses MVC architecture. Currently I check for those two conditions in the web layer and it works for me, but I have some concerns. If I go with some sort of API or some other type of data consumer, I may "forget" to re-inforce these conditions. Also, there will be other objects in the app with similar functionality requirements and which will have similar restrictions on them, so it's better for me to come up with some sort of pattern which will enforce my restrictions on data access level.
Could anyone recommend some approach worth looking into?
Thanks!
I beleive aspects or interceptors should be able to help you. If you work with objects you should be able to intercept requests containing your business data and check wether your user is allowed to work on it. The interceptor could then stop or proceed the execution.

Resources