Im using a forum engine called Thredded. The installation goes well but when trying to access localhost:3000/forum , it gives me this error.
I already trying the suggested solution by adding a method admin? on user.rb but still it doesnt work.
def admin?
has_role?(:admin)
end
any ideas? thanks
Thredded maintainer here.
What version of the Gem are you using, by the way?
For the time being, if you haven't solidified how you would like your users' roles to be defined, I would consider making that method as simple as possible. For example - if the current user has an id of ... 4? or 5? Or whatever your personal user record id is - return true. Otherwise false.
Ask your user object if they are you! :)
def admin
self.name == 'Joel'
end
If the current user record has my name - then yes, I am an admin.
If there's anything I can do to help, please feel free to head over to the issues and open up a ticket. We'd be more than happy to help.
It looks like the missing method is admin, not admin?. Try defining that method instead:
def admin
has_role?(:admin)
end
Related
I'm working on a project where I'm trying to use lit https://github.com/prograils/lit to organise my translation file. So I've installed the gem and done the it's working. The problem is that the dashboard is now available to any user.
We use devise for authentication and pundit for authorization, but I can't find any mechanism to restrict access to the dashboard depending on the users role.
Any help would be greatly appreciated.
dashboard depending on the users role. is something you need to achieve using(in your case) Pundit. As you mentioned you are already using it then you should be able to do something like below:
class DashboardPolicy
:
:
:
def show?
user.admin?
end
end
In you user.rb model you will need a method which would return a boolean value something like:
def admin?
self.role == "admin"
end
Update (in case of no access to controller method)
As you mentioned you dont have access to the controller method then in this case you may want to check for constraints at the routes level.
I wont be adding code snippets here since it has been documented really well on another question you can check out the answer here: https://stackoverflow.com/a/29136866/2545197 and also read more about the same here: http://guides.rubyonrails.org/routing.html#advanced-constraints
i'm kind of new to rails and i want to require a user to input his current_password before updating his infos. I know this can be achieved through devise but i want to do it without devise because i'm having a really hard time modifying the devise.
what i have in mind is something like this:
def update
#edi_user = EdiUser.find(#trader_edi_user.edi_user_id)
#edi_user.update_attributes(edi_user_params.reject_if{ |attr| params['current_password'].blank? })
redirect_to :back
end
i know this code is wrong, but is this kind of logic possible in rails?
Or can anybody help me how to code the right syntax?
thank you in advance
Skipping update on missing attribute,
#edi_user.update_attributes(edi_user_params) if params['current_password'].present?
I am developing Rails application where used rails_admin gem. But when I tried to create new user at that time password field not display in admin and Not able to create new user.
I got below error:
undefined method `new' for #<RailsAdmin::Config::Sections::Base:0x000000088d5d08>
Anyone have a idea or experience in it. Where I am missing or doing wrong.
Thanks in advance.
You are going to have to change new to edit: https://github.com/sferik/rails_admin/wiki/Fields#form-rendering. Both methods use the same partial and/or rendering logic.
You must use the edit section. You can check the action name in this way
edit do
include_all_fields
fields :attr_1, :attr_2 do
visible do
bindings[:controller].action_name == 'new'
end
end
end
I'm looking into RoR some way to: login into the system with DEVISE, (it's working), but i'm needing something than keeps always the view of this logged user, and avoid than this user looks another views.
http://xx.xx.xx.xx:3000/user/1
And this user cannot look the content of:
http://xx.xx.xx.xx:3000/user/2.
Please, sorry if this is a silly question, but, i was looking 2 days and i don't know how i can name this feature.
Thanks!
There are gems available for this Authorization. I prefer can can which is one of the best Authorization gems available
Here is the gem=> https://github.com/ryanb/cancan
And here is the rails cast tutorial using it=> http://railscasts.com/episodes/192-authorization-with-cancan
EDIT: If you want to manually implement this then you just need to make a method with following logic
def check_authorization
# Assuming user ID is coming in params[:id]
if current_user.id == params[:id]
return
else
# render or redirect to some page with access denied message
end
end
And call this method just before any action in which you want to check for authorization.
You know, I think I have to check current user in the model callbacks (like before_update). Rather than rely solely on adding where ('something.user_id = ?', 'current_user.id') in the controllers. I need something like Thread.CurrentPrincipal in .NET
Is it safe to put reference to current user in User model? I'm sorry I don't really understand how it works under the hood yet.
Or how you do it The Rails way?
Sorry if this a silly question.
Added on 3/27
Oops
To get the right answer you have to ask the right question. And that's not an easy task in itself. How can it be that other people's questions are so obscure and they get their answers and your own question is so clear-cut but nobody understands it? :)
I do not understand where to put security check. That the user will get access only to his own stuff. On the controller level? And then test every action? "should not /view|create|edit|destroy/ other user's stuff"? I thought may be I can put it in the model and have one place to /write|refactor|test/. That's why I asked about how I can get a reference to the current user.
Actually I'm surprised I didn't find anything relevant in Rails Guides or Blogs. Some questions were asked but no authoritative "best practices" besides "don't do it".
After giving some thought I decided to just create in the controller before_filter the scope scoped to the current user and just rely on my own convention (promised to myself that I won't access the model directly). And just test it once per controller. That's not a banking application anyway.
I'm not sure I get your situation. If you want to check if some other model's instance belongs to current user - use associations (I inferred that from "something.user_id = ?").
Else - in ActiveRecord before_update method is used on a per-instance basis. I.e. you pass current instance to that callback as an argument. Hence:
def before_update(current_user_instance)
current_user_instance.do_something
end
Will yield any user instance as current_user_instance in the callback. So you can do following:
>> user_1 = User.find(1)
>> user_1.update_attribute(:some_attribute, 'some value')
>> user_2 = User.find(2)
>> user_2.update_attribute(:some_attribute, 'some other value')
This will call do_something method on separate instances (user_1 and user_2)
I don't really understand Thread.CurrentPrincipal, but current_user generally means the logged in user and that is completely a controller context. It is not available for use inside a model. So a hacky solution would be:
class UseCase < ActiveRecord::Base
after_save :my_callback_method
attr_accessor :current_user
def my_callback_method
# Some operations based on current_user
end
# ...
end
And then in your controller:
#...
use_case = UseCase.find(use_case_id) # Just an example, can be anything
use_case.current_user = current_user
# then this
use_case.save
# or basically
use_case.method_that_triggers_after_save_callback
#...
Warning: I am sure this is bad practise (I have never used it myself). But this will work. Ruby gurus / MVC gurus out there, please comment.