I am new to Ruby on Rails development. Currently, I am creating a web app where users can log in, create, and manipulate their own "campaigns" (database objects) that are then displayed on a dashboard. I am using the devise gem, but at best it filters the database objects without actually using any permissions. I need to make sure that the database objects that appear on the dashboard are specific to only the current user that is logged in. What would be a good solution for displaying the campaigns of only the logged in user on the dashboard, and making sure that the user can't access/see anyone else's objects on the dashboard.
It sound like you need a before_filter on your controller. I don't use devise, but just google "devise before action" and you will find many links like this one that might be helpful. On another note, here is an excellent tutorial that shows how to create your own authentication system. I recommend doing it twice. The rails guides are also great.
Update:
Try this in your contoller
def index
#user = User.find(params[:id])
#campaigns = #user.campaigns.all
end
Related
Let's say I have Blog app built with Rails and on a post created by a user(Author) I have a "Request a chat" button.
I want to build a small function on that post page that when User A presses that button, the page will redirect to or open a chatbox that connect User A with user Author?
Author is a devise registered user and User A is not.
How would I build something like that? Thanks
I think it's weird having a devise registered user and a non devise user unless you mean User A is just an unregistered guest. Either way, it's not a big deal and it can be done.
The way you would put together that system is as follows:
OpenChat # your new data model
OpenChatsController # your new controller
"Request a chat" would create a new OpenChat object, with author and guest A foreign keys. If User A is a guest, you can store a cookie "password" in their browser but generally it's only advisable if the conversation is brief and security isn't a big deal.
Then you would be able to check if there is an open chat between the two users and display it in any page you want, and display messages appropriately.
You will need to look up how to setup a basic chat system (there are a million answers out there that will take you step by step) as that's beyond the scope of this question.
If you are new to Rails, I also recommend Michael Hartl's Ruby on Rails tutorial:
https://www.railstutorial.org/
first time poster so apologies if I come across very noob like.
I have started developing a TODO Rails app that allows people to login and create several lists for themselves.
I would like to have the user flow work so that after the user signs in they are presented with a "Profile page" that shows some importent links, info on the user and then a grid containing their lists etc.
Now down to the query, What is the best way to go about this as I have a User model and also a list model. Do I need to create a profile controller that has a simple #index action on it that I can pull in info from the 2 models or is there a more acceptable way?
I was hoping that Devise would provide something like this but if they do I cant find it.
I'm not sure that I would couple my user profile page with Devise. Devise is a tool for user authentication, and it seems to me that a user profile page isn't really related to authentication.
I would put your user profile on the user show page, i.e. app/views/user/show.html.erb. (If it doesn't already exist, you might have to create a UserController and app/views/user directory.)
As for redirecting users to the profile page on login, this is (basically) how I do it in app/controllers/application_controller.rb:
class ApplicationController < ActionController::Base
def after_sign_in_path_for(resource_or_scope)
user_show_path(current_user)
end
end
To address your last question, at least partially, no, I wouldn't create a profile controller. Thinking RESTfully, a user profile page would be most appropriate, it seems to me, in UserController#show.
I have been through M. Hartl's book on ROR Tutorial and in there for the Edit and Update action for the user the book uses "#user = User.find(params[:id])" to find the user and then for authorization purposes adds a "correct_user" method which checks if #user is the current user. The thing that is baffling me is that why can't I just find the user to begin with using "#user = current_user" in the edit and update actions so that I don't have to worry about users passing in other User ID's through the URL. Does this approach I am thinking of leave any security loopholes? I am using Devise so I already have a current_user method handy.
One potential problem with that approach is that it might be a user with special privileges (admin, moderator, etc.) trying to edit another user that they are allowed to update. Best to stick with fetching from the database. Also, if rails has already fetched the user in the current request cycle, the object should be cached, so it shouldn't actually do a second database request anyways.
I'm stuck figuring out the best practice...
I want to create a "following" system in a way that a user can follow a car (getting email updates when car price changes, etc). The part of implementation that's giving me headaches is when I want to introduce lazy registration by only using email.
Everything needs to work as AJAX requests.
In the interface, there will be a button to trigger the follow action, which will check if the user is registered or not. If a user is logged in, create a new CarSubscription item, otherwise display a form where he could type his email address. Once submitted, the form should create a user with no password (if email exists, ask for the password and log in) and then it should create the relationship item.
The challenge here is to use redirection after submission of the form to the CREATE action of the CarSubscriptionController. Since I can't redirect using POST I can't simulate the CREATE or DESTROY action.
The non-RESTful solution would be to create 2 actions under cars_controller: follow and unfollow and let them do the logic of creating entries and deleting them. That would enable me to just store the request path and use it after the user enters their email and logs in.
How can I achieve what I want using RESTful resources?
After trying to describe my problem here, it seems it's way too complicated and I am indeed very stuck... There are 3 different controllers and possibly 4 requests in this scenario.
Any help would be tremendously appreciated!
Please see my flow chart below:
Not an expert here, I don't know if it's the best solution, but what I have done in similar situation is :
In your controller, respond with javascript instead of redirecting the user
In your javascript file, use $.post(...) to issue a POST to your controller action
Et voilĂ !
You can also use ActiveResource to achieve this, but I actually never tried that solution : http://api.rubyonrails.org/classes/ActiveResource/Base.html#label-Custom+REST+methods
Person.new(:name => 'Ryan').post(:register)
Hope this helps
I had a very similar need and had trouble pulling the various bits of info on how to do this with Devise and Rails together into a working example. Here's a fully working example based on Rails 4, Ruby 2, and Devise 3.0:
https://github.com/mwlang/lazy_registration_demos
I'm using the Authlogic Facebook Connect plugin on my site. After a bit of a struggle I can sign in with FBConnect, I can get stuff from the FBSession, like the users name, and I can logout. But, the README on the plugin site seems to suggest that following the five steps will result in the FB UID being saved in your local database (presumably against a user it will have created), but there's nothing in the docs or code that indicates how this will actually happen. What I want is that when a user signs in using FBConnect, I either match or create a new user for them. From then on I can use current_user in my controllers and views as normal (so that current_user.id is their local id, not their facebook id, since I want multiple forms of authentication), but if I want facebook stuff for that user I can access it easily, maybe with something like current_user.fb_user.
Has anyone been able to do this? If so, how?
Thanks.
This is precisely what Authlogic is suppose to do! One thing that was missing from the doc when I installed the facebook plugin was the need to add a facebook_session_key column in the users table :
add_column :users, :facebook_session_key, :string
Did you add this column?