I am building a simple blog app using Ruby on Rails that allows users to log in/out, sign up and perform actions on their articles and profiles based on permissions and restrictions.
I have encountered a problem with the destroy User action. In the users/index view(where all existing users are listed), it causes no errors due to the url path containing no {:id}, but the redirect_to root_path does not work. If the same action is executed in the users/show page(personal profile page with some info and associated articles), due to the url being localhost/users/id, when the user is deleted I get "Couldn't find User with 'id'=33" error shown below. If I manually go to the root route, the successful account deletion message shows up and the action is performed correctly. So this is not a metter of DESTROY not working, but of redirection I believe. I have tried redirecting to different paths but it still doesn't work. Here are the related files:
routes.rb
Rails.application.routes.draw do
root "pages#home"
get "about", to: "pages#about"
resources :articles
get "signup", to: "users#new"
resources :users, except: [:new]
get 'login', to: 'sessions#new'
post 'login', to: 'sessions#create'
get 'logout' => :destroy, to: 'sessions#destroy'
end
pages_controller
class PagesController < ApplicationController
def home
redirect_to articles_path if logged_in?
end
def about
end
end
users_controller
class UsersController < ApplicationController
before_action :set_user, only: [:show, :edit, :update, :destroy]
before_action :require_user, only: [:edit, :update]
before_action :require_same_user, only: [:edit, :update, :destroy]
def index
#users = User.all
end
def show
#articles = #user.articles
end
def new
#user = User.new
end
def edit
end
def create
#user = User.new(user_params)
if(#user.save)
session[:user_id] = #user.id #logs user in automatically once they are signed up
flash[:notice] = "Welcome to AlphaBlog, #{#user.username}!"
redirect_to articles_path
else
render 'new'
end
end
def update
if #user.update(user_params)
flash[:notice] = "Account updated!"
redirect_to #user
else
render 'edit'
end
end
def destroy
#user.destroy
session[:user_id] = nil
flash[:notice] = "Account and all associated articles deleted!"
redirect_to root_path
end
private
def user_params
params.require(:user).permit(:username, :email, :password)
end
def set_user
#user = User.find(params[:id])
end
def require_same_user
if current_user != #user
flash[:alert] = "You can only edit your own profile!"
redirect_to current_user
end
end
end
sessions_controller
class SessionsController < ApplicationController
def new
end
def create
user = User.find_by(email: params[:session][:email].downcase)
if user && user.authenticate(params[:session][:password])
session[:user_id] = user.id
flash[:notice] = "Logged in successfully!"
redirect_to user
else
flash.now[:alert] = "There was something wrong with your login details!"
render 'new'
end
end
def destroy
session[:user_id] = nil
flash[:notice] = "Logged out."
redirect_to root_path
end
end
users/index.html.erb
<div class = "header">
<h1>
AlphaBlog
<% if logged_in? %>
<%= link_to 'Articles', articles_path, method: :get, class: "index-button-to" %>
<% else %>
<%= link_to 'Home', root_path(), method: :get, class: "index-button-to" %>
<%= link_to 'Articles', articles_path, method: :get, class: "index-button-to" %>
<% end %>
<%= render 'layouts/log_in_out_navigation'%>
</h1>
</div>
<h2>Alpha Bloggers</h2>
<div class="index-container">
<%# cycle through all articles and show them all in a table %>
<% #users.each do |user| %>
<div class = "index-article-container">
<div class="index-article-user" style = "color:rgb(16, 136, 255);">
<%= user.username %>
</div>
<div class="white">
<div class="index-article-title">
<%= gravatar_for(user, size: 150) %>
</div>
<div class="index-article-description">
<%# gives the plural word for multiple articles %>
<%= pluralize(user.articles.count, "article") %>
</div>
<div class="index-article-actions">
<%# shows selected article page %>
<%= link_to 'View Profile', user, class: "index-link-to show" %>
<% if logged_in? && current_user.username == user.username %>
<%# shows selected article EDIT page. edit_article_path because in routes,
the prefix for edit is edit_article && (article) because we need the id for the path as well%>
<%= link_to 'Edit Profile', edit_user_path(user), data: { turbo_method:
:get}, class: "index-link-to edit" %>
<%= link_to 'Delete Profile', user_path(current_user), data: {
turbo_method: :delete, turbo_confirm: "Are you sure? (This will also delete all of your
articles)" }, class: "index-link-to delete" %>
<% end %>
</div>
</div>
<div class="index-created-updated">
Joined <%= time_ago_in_words(user.created_at) %> ago.
</div>
</div>
<% end %>
users/show.html.erb
<div class = "header">
<h1>
AlphaBlog
<% if logged_in? %>
<%= link_to 'Articles', articles_path, method: :get, class: "index-button-to" %>
<%= link_to 'Bloggers', users_path, method: :get, class: "index-button-to" %>
<% else %>
<%= link_to 'Home', root_path(), method: :get, class: "index-button-to" %>
<%= link_to 'Articles', articles_path, method: :get, class: "index-button-to" %>
<%= link_to 'Bloggers', users_path, method: :get, class: "index-button-to" %>
<% end %>
<%= render 'layouts/log_in_out_navigation'%>
</h1>
</div>
<h2> <%= #user.username %>'s profile </h2>
<div class="show-users-image">
<%# gravatar_for method created in helpers/application_helper %>
<%= gravatar_for #user, size: 200 %>
<% if logged_in? && current_user.username == #user.username %>
<div class="index-profile-actions">
<%= link_to "Edit Profile", edit_user_path(#user), class: "index-link-to edit" %>
<%= link_to 'Delete Profile', user_path(current_user), data: { turbo_method: :delete,
turbo_confirm: "Are you sure? (This will also delete all of your articles)" }, class: "index-
link-
to delete", style: "margin-top:0.3vh" %>
</div>
<% end %>
</div>
<h3 style = "text-align:center">Articles</h3>
<%= render 'articles/article' %>
error page
The way to do this in Rails 7 is to update the destroy action in the UsersController by adding status: :see_other after the redirect, as follows:
def destroy
#user.destroy
session[:user_id] = nil
flash[:notice] = "Account and all associated articles deleted!"
redirect_to root_path, status: :see_other
end
I think the answer here is really a very different layout of your routes and controller (or to not reivent the wheel in the first place). Passing the user id through the parameters would be fine if your making a system where you are managing other users - but its pretty wonky when users are managing their own profiles.
For example this is how users CRUD their own profiles in a vanilla Devise setup:
Verb URI Pattern Controller#Action
------------------------------------------------------------------------
GET /users/cancel(.:format) devise/registrations#cancel
GET /users/sign_up(.:format) devise/registrations#new
GET /users/edit(.:format) devise/registrations#edit
PATCH /users(.:format) devise/registrations#update
PUT /users(.:format) devise/registrations#update
DELETE /users(.:format) devise/registrations#destroy
POST /users(.:format) devise/registrations#create
Note the lack of the :id parameter in the URI Pattern. Thats because its implied that the resource in question is the currently signed in user, and that the user is identified through the session (or a token).
The controller is named Registrations to avoid the ambiguity if the programmer later wants to add a UsersController to manage other users.
If you want to do something similiar you can generate singular routes by using the resource macro instead of resources.
# routes for user registration
resource :registrations,
only: [:new, :edit, :update, :create, :destroy]
# routes for viewing other users
resources :users, only: [:index, :show]
Which will generate:
Prefix Verb URI Pattern Controller#Action
-----------------------------------------------------------------------
new_registrations GET /registrations/new(.:format) registrations#new
edit_registrations GET /registrations/edit(.:format) registrations#edit
registrations GET /registrations(.:format) registrations#show
PATCH /registrations(.:format) registrations#update
PUT /registrations(.:format) registrations#update
DELETE /registrations(.:format) registrations#destroy
POST /registrations(.:format) registrations#create
Name it whatever you want. The core takeaway here is to not confuse two completely different problems - user management and user registrations and have separate endpoints and controllers for each responsibilty.
Then in your controller you simply authenticate the user from the session and redirect the user if they are not authenticated:
# Handles user account registration, updates and deleting accounts
class RegistrationsController < ApplicationController
before_action :require_user, except: [:new, :create]
# Displays the form for signing up a user
# GET /registrations
def new
#user = User.new
end
# Register a new user and sign them in
# POST /registrations
def create
#user = User.new(user_params)
if #user.save
reset_session # avoids session fixation attacks
session[:user_id] = #user.id #logs user in automatically once they are signed up
flash[:notice] = "Welcome to AlphaBlog, #{#user.username}!"
redirect_to articles_path
else
render :new
end
end
# Form for editing the users own profile
# GET /registrations/edit
def edit
#user = current_user
end
# Update the currently signed in user
# PATCH /registrations
def update
#user = current_user
if #user.update(user_params)
flash[:notice] = "Account updated!"
redirect_to current_user
else
render :new
end
end
# Cancel the current users registration
# DELETE /registrations
def delete
current_user.delete
reset_session # avoids session fixation attacks
flash[:notice] = "Account and all associated articles deleted!"
redirect_to root_path
end
private
def user_params
params.require(:user).permit(:username, :email, :password)
end
end
# Displays users
# Managing accounts is handled by RegistrationsController
class UsersController < ApplicationController
# GET /users
def index
#users = User.all
end
# GET /users/1
def show
#user = User.find(params[:id])
#articles = #user.articles
end
end
Since their is no id in the path you you need to set the delete button to send to the right path:
<%= button_to "Delete your account", registrations_path, method: :delete %>
And adjust your forms:
<%= form_with(model: #user, url: registrations_path) do |form| %>
# ...
<% end %>
Doing this the correct way would really be to do it the same way that Devise does and have a normal link that sends a GET request to a "Are you sure you want to delete your account?" page when then requires the user to enter their password or email and submits a DELETE request so that users don't accidentially delete their accounts.
But then again don't reinvent the authentication wheel unless you want a long and tedious lesson into wheelmaking.
I'm not sure you have truly got to the bottom of this. In your original approach I suspect two things are going on:
In users/index.html.erb you have link_to 'Delete Profile', user_path(current_user) but I think you want user_path(user). What you currently have will have every delete button try to delete the same user.
The fact that error says your are attempting to execute 'show' rather than 'destroy' makes me suspect that you do not have turbo loaded properly. You don't say what version of rails you are using, but for versions earlier than 7 you don't get turbo out of the box, and you should use UJS instead.
compare this https://guides.rubyonrails.org/getting_started.html#deleting-an-article with this https://guides.rubyonrails.org/v6.1/getting_started.html#deleting-an-article
I have a sessions controller:
class SessionsController < ApplicationController
def new
# No need for anything in here, we are just going to render our
# new.html.erb AKA the login page
end
def create
# Look up User in db by the email address submitted to the login form and
# convert to lowercase to match email in db in case they had caps lock on:
account = Account.find_by(email: params[:login][:email].downcase)
# Verify user exists in db and run has_secure_password's .authenticate()
# method to see if the password submitted on the login form was correct:
if account && account.authenticate(params[:login][:password])
# Save the user.id in that user's session cookie:
session[:account_id] = account.id.to_s
redirect_to users_path
else
# if email or password incorrect, re-render login page:
flash.now.alert = "Incorrect email or password, try again."
render :new
end
end
def destroy
# delete the saved account_id key/value from the session:
session.delete(:account_id)
redirect_to login_path, notice: "Logged out!"
end
end
and an application controller:
require 'open3'
class ApplicationController < ActionController::Base
protect_from_forgery :except => [:destroy]
# Make the current_user method available to views also, not just controllers:
helper_method :current_account
# Define the current_user method:
def current_account
# Look up the current account based on account_id in the session cookie:
if session[:account_id]
#current_account = Account.find(session[:account_id])
end
#logger.debug("current_account: #{#current_account.attributes.inspect}")
end
# authorize method redirects user to login page if not logged in:
def authorize
redirect_to login_path, alert: 'You must be logged in to access this page.' if current_account.nil?
end
end
and in the _header.html.erb, I have:
<div id="account">
<% if current_account %>
<!-- current_user will return true if a user is logged in -->
<%= "Logged in as #{current_account.email}" %> | <%= link_to 'Home', users_path %> | <%= link_to 'Log Out', logout_path, method: :delete %>
<% else %>
<!-- not logged in -->
<%= link_to 'Home', users_path %> | <%= link_to 'Log In', login_path %> or <%= link_to 'Sign Up', new_account_path %>
<% end %>
</div><!-- #account -->
I click the logout link and I get the Login screen, BUT, the current_account.email is still displayed. It appears that the session with key :account_id is not being destroyed. How am I getting to the Login page, but am not logged out?
Quite by accident, I found that if I changed
protect_from_forgery with: :null_session
to
protect_from_forgery :except => [:destroy]
in the application controller,
The problem cleared up. Now, what did I do and are there any bad side effects?
I train to use rails. I have create a system of authentication for the user, of course, he can to access at this informations. But if he's connected, he can to update his informations. And now, i have a problem, the redirection with the patch work however there's no update of his informations for exemple pseudo. The user put a new pseudo, but it doesn't update. But it works in console.
code of controller sessions :
class SessionsController < ApplicationController
def new
end
def show
#page = User.find(params[:id])
end
def update
User.find(params[:id]).update name: params[:name]
redirect_to "/profil/#{current_user.id}"
end
def create
user = User.find_by_email(params[:email])
# If the user exists AND the password entered is correct.
if user && user.authenticate(params[:password])
# Save the user id inside the browser cookie. This is how we keep the user
# logged in when they navigate around our website.
session[:user_id] = user.id
redirect_to '/'
else
# If user's login doesn't work, send them back to the login form.
redirect_to '/login'
end
end
def destroy
session[:user_id] = nil
redirect_to '/login'
end
end
code of show:
<h1>Profil</h1>
<% if current_user && #page.id == current_user.id %>
<%= form_tag "/profil/#{#page.id}", method: "patch" do %>
<ul>
<li><input type="text" name="name" value="<%= current_user.name %>" /></li>
<li><%= image_tag current_user.avatar.url(:thumb) %></li>
<input type="submit" value="Enregistrer mon profil" />
</ul>
<% end
else
%>
<%= #page.name %>
<br>
<%= image_tag #page.avatar.url(:thumb) %>
<% end %>
code of routes :
Rails.application.routes.draw do
get 'sessions/new'
get 'users/new'
# For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
get '/signup' => 'users#new'
post '/users' => 'users#create'
get '/login' => 'sessions#new'
post '/login' => 'sessions#create'
get '/logout' => 'sessions#destroy'
get '/profil/:id' => 'sessions#show'
patch '/profil/:id' => 'sessions#update'
end
After lot of tests, I don't find my mistakes.
Sorry, if my english is no great because I'm french.
thank you in advance ^^
I am new to ruby on rails. I am developing an application which has authentication system.
my problem is I am getting error when logging in to the application in production(Heroku). It is working in development.
Error
I production after i typing url https://akashpinnaka.herokuapp.com/login,
it is redirecting to https://akashpinnaka.herokuapp.comlogin. I am missing the '/' between root_url and 'login' for POST login.
Note: Working in development environment.
My routes are
Rails.application.routes.draw do
get 'welcome/index'
root 'welcome#index'
resources :articles
resources :projects
resources :users
get '/login' => 'sessions#new'
post '/login' => 'sessions#create'
delete 'logout' => 'sessions#destroy'
end
Sessions Controller
class SessionsController < ApplicationController
def new
end
def create
#user = User.find_by_email(params[:session][:email])
if #user && #user.authenticate(params[:session][:password])
session[:user_id] = #user.id
redirect_to root_path
else
redirect_to 'login'
end
end
def destroy
session[:user_id] = nil
redirect_to '/'
end
end
Sessions#new
<%= form_for(:session, url: login_path) do |f| %>
<%= f.email_field :email, :placeholder => "Email" %>
<%= f.password_field :password, :placeholder => "Password" %>
<%= f.submit "Log in" %>
<% end %>
Usually, when your form can't be saved, you don't redirect. You show the same form, with error explanation.
def create
#user = User.find_by_email(params[:session][:email])
if #user && #user.authenticate(params[:session][:password])
session[:user_id] = #user.id
redirect_to root_path
else
# should've been login_path
# redirect_to 'login'
render 'new' # this is better
end
end
If you are sure that you want to redirect, by all means, go ahead. But supply the correct path :)
You need use redirect_to '/login' or redirect_to login_path instead of redirect_to 'login'
#Sergio Tulentsev's answer is pretty good.
You should fix your routes:
#config/routes.rb
root "welcome#index"
resources :articles, :projects, :users
resources sessions, only: [:new, :create, :destroy], path_names: { new: "login", create: "login", destroy: "logout" }
Rails has two sets of path helpers - _path and _url
_path, as we know, is there to provide relative routes (/path).
_url is there to provide direct routes (http://domain.com/path)
Thus, when you have:
get "/login" (with leading slash) in your routes, it will almost certainly cause problems with your applications' relative link helpers.
As mentioned by #Sergio Tulentsev, your create method, and the destroy method, should be fixed to use the correct path helpers:
def create
#user = User.find_by email: params[:session][:email]
if #user && #user.authenticate(params[:session][:password])
session[:user_id] = #user.id
redirect_to root_path
else
redirect_to login_path
end
end
def destroy
...
redirect_to root_path
end
It's worth taking #Sergio's advice on the render :new command too!
I have a custom registration controller, but I don't want to override a create action from devise. When I try to sign up a user, I get this error:
Unknown action
The action 'create' could not be found for Devise::RegistrationsController
Is it asking for it because I have a custom registration controller? If so, does that mean I need to copy all the actions that I'm not overriding from here: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/registrations_controller.rb
Or its because there's something wrong with my application?
My routes:
devise_for :user, :controllers => { :registrations => "devise/registrations" }, :skip => [:sessions] do
get 'signup' => 'devise/registrations#new', :as => :new_user_registration
post 'signup' => 'devise/registrations#create', :as => :user_registration
end
This is my devise registration controller
class Devise::RegistrationsController < DeviseController
skip_before_filter :require_no_authentication
def edit
#user = User.find(current_user.id)
#profile = Profile.new
end
def update
# required for settings form to submit when password is left blank
if params[:user][:password].blank? && params[:user][:password_confirmation].blank?
params[:user].delete(:password)
params[:user].delete(:password_confirmation)
end
#user = User.find(current_user.id)
if #user.update_attributes(params[:user])
set_flash_message :notice, :updated
# Sign in the user bypassing validation in case his password changed
sign_in #user, :bypass => true
redirect_to after_update_path_for(#user)
else
render "edit"
end
end
protected
def after_update_path_for(resource)
user_path(resource)
end
def after_sign_up_path_for(resource)
user_path(resource)
end
end
This is the registration form:
<%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
...
<div>
<%= button_tag :type => :submit, :class => "btn btn-large btn-inverse" do %>
Sign up
<% end %>
</div>
...
<% end %>
Your controller of registration inherits from the wrong class: DeviseController
It is a base class for a registration and has no "create" method, and so does your custom Devise::RegistrationsController class (it has only edit and update methods) - it incurs the error.
In order to create your own custom registration controller for users with fallback to the original devise methods, I suggest you do the following:
1. create "users" folder in controllers folder
2. create there registrations_controller.rb file, and define class there:
Users::RegistrationsController < Devise::RegistrationsController
and override any actions ("edit" and "update")
3. inform the "routes.rb" file about changes:
devise_for :users, :controllers => { registrations: 'users/registrations' }