I'm somewhat of a Rails newbie, and am not quite sure what the convention is when tying users to their objects, such as documents. (And I now know how important it is to go with conventions in Rails)
So far, I have come up with 3 potential solutions in my head:
Making every document essentially a child of every user, using has_many and belongs_to
Giving every document an integer (user_id, or something along the lines of that) that ties it to the user. That way, whenever the user wants an index of their documents, I can identify all those that have the right ID.
It seems like there's some plugins that do user management completely in their own way that doesn't fit into any of the above.
Additionally, I plan on using Devise for user authentication and management. From my understanding, that seems to be the most popular/widely used authentication gem -- please correct me if I'm wrong.
I'm somewhat of a Rails newbie
Welcome to the club, although some people bite, most are totally cool.
tying users to their objects
You've already answered your own question...
#app/models/user.rb
class User < ActiveRecord::Base
has_many :documents
end
#app/models/document.rb
class Document < ActiveRecord::Base
belongs_to :user
end
If a user creates a document, surely that would mean that you'd have to associate documents to users via a has_many / belongs_to relationship...
--
To give you some context, you'll have to add the user_id foreign_key to your documents table:
$ rails g migration AddUserForeignKeyToDocuments
#db/migrate/add_user_foreign_key_to_documents______.rb
class AddUserForeignKeyToDocuments < ActiveRecord::Migration
def change
change_table :documents do |t|
t.references :user, index: true
end
end
end
$ rake db:migrate
This would allow something like the following (using the current_user helper from Devise):
#config/routes.rb
resources :documents
#app/controllers/documents_controller
class DocumentsController < ApplicationController
def create
#document = current_user.documents.new document_params
#document.save
end
private
def document_params
params.require(:document).permit(.....)
end
end
If you're unsure about user authentication, you should go with Devise, although there are other authentication gems such as sorcery
Setting up Devise is simple:
#Gemfile
gem 'devise', '~> 3.5', '>= 3.5.3'
$ rails generate devise:install
$ rails generate devise User
$ rake db:migrate
#config/routes
devise_for :users
#app/controllers/documents_controller.rb
class DocumentsController < ApplicationController
before_action :authenticate_user!
end
This will make it so only logged-in users can access /documents :)
This is primarily an opinion-based question however I tend to see most projects using ActiveRecord's relations (e.g has_many, belongs_to).
you can use devise for authentification (or build an own login system there is a railscast and use cancancan for authorization. some defining of abilities you will find in the documentation
just for example
can :update, Article
or if user can just delete own stuff
can :read, Project, active: true, user_id: user.id
i would also use the ActiveRecord relation with has_many e.g. and has_many through
Related
I am trying to achieve role-based authorization in Rails.
What we require:
Roles should be dynamic, we should able to create, edit, or delete roles.
Permissions also should be dynamic.
Findings:
We can't use the pundit gem because its policies are static and we can't make it dynamic.
We can use the cancan gem and we can use it dynamically but I didn't get how it can be done? And how it works with `database?
It's my first project on the authorization part. We have rails as the back-end and vue.js as the front end. Whatever roles are there, on the database all data should be empty at first. We'll use the seed to create a super-admin role and give all permissions. Super-admin will create roles, edit roles, destroy roles, and also add permissions, edit and destroy permissions eventually.
If there is any other helpful method then please let me know.
Thanks.
Pundit vs CanCanCan
Your conclusions about CanCanCan and Pundit are just nonsense. Neither of them are "static" or "dynamic" and they have pretty much the same features. The architecture and design philosophy are radically different though.
CanCanCan (originally CanCan) is written as a DSL which was the hottest thing since pre-sliced bread back when Ryan Bates created CanCan 10 years ago. It scales down really well and is easy to learn but gets really ugly as soon as you reach any level of complexity. If anything doing "dynamic authorization" in CanCanCan is going to be a nightmare due its architecture. The ability class in CanCanCan is the god of all god objects.
Pundit is just Object Oriented Programming. In pundit your policies are just classes that take a user and resource as initializer arguments and respond to methods like show?, create? etc. Pundit is harder to understand initially but since its just OOP you can tailor it however you want. And since your authentication logic is stored in separate objects it scales up to complexity far better and adheres to the SOLID principles.
How do I setup a dynamic roles system?
This is you standard role system ala Rolify:
class User < ApplicationRecord
has_many :user_roles
has_many :roles, through: :user_roles
def has_role?(role, resource = nil)
roles.where({ name: role, resource: resource }.compact).exists?
end
def add_role(role, resource = nil)
role = Role.find_or_create_by!({ name: role, resource: resource }.compact)
roles << role
end
end
# rails g model user_roles user:belongs_to role:belongs_to
class UserRole < ApplicationRecord
belongs_to :user
belongs_to :role
end
# rails g model role name:string resource:belongs_to:polymorphic
class Role < ApplicationRecord
belongs_to :resource, polymorphic: true, optional: true
has_many :user_roles
has_many :users, through: :user_roles
end
You can then scope roles to resources:
class Forum < ApplicationRecord
has_many :roles, as: :resource
end
Rolify lets you go a step further and just defines roles with a class as the resource. Like for example user.add_role(:admin, Forum) which makes the user an admin on all forums.
How do I create a permissions system?
A simple RBAC system could be built as:
class Role < ApplicationRecord
has_many :role_permissions
has_many :permissions, through: :role_permissions
def has_permission?(permission)
permissions.where(name: permission).exists?
end
end
# rails g model permission name:string
class Permission < ApplicationRecord
end
# rails g model role_permission role:belongs_to permission:belongs_to
class RolePermission < ApplicationRecord
belongs_to :role
belongs_to :permission
end
So for example you could grant "destroy" to "moderators" on Forum.find(1) by:
role = Role.find_by!(name: 'moderator', resource: Forum.find(1))
role.permissions.create!(name: 'destroy')
role.has_permission?('destroy') # true
Although I doubt its really going to be this simple in reality.
If I understand your requirements correctly, you should be able to use Pundit to achieve this.
From what I understand,
Users have roles
Users can be assigned and unassigned roles at runtime
Permissions are given to either roles or users directly.
Permissions can be updated at runtime
So you can have something like,
class User
has_many :user_role_mappings
has_many :roles, through: :user_role_mappings
has_many :permissions, through: :roles
...
end
class UserRoleMapping
belongs_to :user
belongs_to :role
end
class Role
has_many :role_permission_mappings
has_many :permissions, through :role_permission_mappings
...
def has_permission?(permission)
permissions.where(name: permission).exists?
end
end
class RolePermissionMapping
belongs_to :role
belongs_to :permission
end
class Permission
...
end
And in your policy, you can check if any of the user's roles has the required permission.
class PostPolicy < ApplicationPolicy
def update?
user.roles.any? { |role| role.has_permission?('update_post') }
end
end
Edit:
Using the mapping tables, you can update the permissions for a role, and the roles for a user from an admin dashboard.
You can achieve dynamic roles with pundit. pundit let's you define plain Ruby objects with methods that are called to determine if a user has permission to perform an action. For example:
class PostPolicy < ApplicationPolicy
def update?
user.has_role('admin')
end
end
If you want a user to have multiple roles you could set up a has_and_belongs_to_many: :roles association on your User model.
See: https://guides.rubyonrails.org/association_basics.html#the-has-and-belongs-to-many-association
I'm using the gem discard and also rails-admin. I would like to know which is the best approach to list my active users in a shop in rails admin, taking into consideration the users kept
I've created a method in the model shop:
class Shop < ApplicationRecord
include ShopRailsAdmin
has_many :users
def active_users
users.kept
end
end
In rails admin I'm using:
field :active_users do
label 'Users'
end
But I'm receiving an AssociationRelation instead of a CollectionProxy so in the view, the association looks like
#<User::ActiveRecord_AssociationRelation:0x00007f9c34c1f8e0>
Is there another way to do this so I can avoid defining the method in the model shop?
PD: the tag should have been also discard but it does not exist and I could not create it.
Thanks!
You need to define it as an scoped association
class Shop < ApplicationRecord
include ShopRailsAdmin
has_many :users
has_many :active_users, -> lambda {
where(discarded_at: nil)
}, class_name: 'User'
end
I'm assuming you did not personalize the discard_column.
Rails admin should display them right.
I’ve setup a has_many :through association between a User and Organisation model, using a Membership model as the join.
class Organisation < ActiveRecord::Base
has_many :memberships
has_many :users, :through => :memberships
end
class User < ActiveRecord::Base
. . .
has_many :memberships
has_many :organisations, :through => memberships
end
class Membership < ActiveRecord::Base
belongs_to :user
belongs_to :organisation
end
When a User creates an organisation, I want a membership to automatically be created linking the user to that organisation.
Where is the best place to attack this?
Options I’ve been investigating:
Use an after_create callback on the organisation
Move this process into a separate Ruby class.
In the organisations Controller, create action.
?
How would you recommend I go about it?
Is there somewhere in the Rails Guides where it outlines best practices for this kind of thing?
Rails 4.2.5.
#config/routes.rb
resources :organizations #-> url.com/organizations/new
#app/controllers/organizations_controller.rb
class OrganizationsController < ApplicationController
before_action :authenticate_user!
def new
#organization = current_user.organizations.new
end
def create
#organization = current_user.organizations.new organization_params
#organization.save
end
private
def organization_params
params.require(:organization).permit(:x, :y, :z) #-> membership automatically created
end
end
The above will automatically create the associated membership; assuming you're using Devise & have access to the current_user method.
--
The best practice is the most succinct; there is no way you're "meant" to do it.
One of the biggest fallacies I see in Rails is people trying to find the most acceptable way to do something (as if there's a rulebook). The best thing you can do is get it working then refactor the code.
As you progress through your app, you'll find that certain patterns can be changed, some removed and many combined. The more "DRY" you make your code, the better it is (as a rule).
My idea is way 3. Normaly, when set up many - many association in models, we should do creating temp table record auto through controller.
For example in controller you can write:
#organisation = current_user.organisations.build organisation_params
if #organisation.save
....
So that if #organisation is save then after that memberships record auto generate.
You can see this tutorial to see that:
http://blog.teamtreehouse.com/what-is-a-has_many-through-association-in-ruby-on-rails-treehouse-quick-tip
I think you should just be able to do something like:
org = Organisation.new
org.otherstuff = "populate other stuff"
org.users = [user_who_created]
org.save
After that the two should be related...? If you wanted to encapsulate this behavior you could do something like have a class method on Organization like create_org_for_user(name, user) and then do this logic in there, or you could do it in the controller action that handles the creation.
If there isn't any additional logic other than creating an organization and membership, I would just do #3. However, if you are planning on adding more logic for creating a new organization in the future, I would create a new service (#2).
Where is the best place to attack this?
I would like to say you should write this in OrganisationsController's create action to make a DRY on update action as well(use strong parameter) .Because form attribute that you are getting is from outer worlds and it is best to use permit method on required params using Strong Parametre concept.
def create
#organisation = Organisation.new(organisation_params)
...
end
def organisation_params
# here you could write all the params which you want to permit from outer worlds
end
Nore more info about Strong Parameters
I am using CanCan and have been researching how to get started. However, it seems that most of the tutorials aren't very specific, and don't suit my own needs. I'm building a social network where users can create projects and add other users to their projects, allowing those users to moderate that project.
I currently have a Role model with a string attribute, and a User model from devise. Where do I go from here?
I have seen this post, but it doesn't fully explain how to set up the roles and the relationship between the Role model and the ability.rb file from CanCan.
If you need me to be more specific, please say so! I'm not the greatest Rails developer ;)
Edit
I have seen the railscast on this, and it doesn't have a separate Role model which I would like to have. I have tried using Rolify, but people have said it is too complicated and that it's possible to do it in a more simple way. I also ran into some complications so I'd like to just use my own Role model.
Edit
I'm currently using rolify and the roles are working. I found my solution at: https://github.com/EppO/rolify/wiki/Tutorial
If your User-Role stuff is looking similar to following:
class User < ActiveRecord::Base
has_many :user_roles
has_many :roles, :through => :user_roles
# user model has for example following attributes:
# username, email, password, ...
end
class Role < ActiveRecord::Base
has_many :user_roles
has_many :users, :through => :user_roles
# role model has for example following attributes:
# name (e.g. Role.first.name => "admin" or "editor" or "whatever"
end
class UserRole < ActiveRecord::Base
belongs_to :user
belongs_to :role
end
you can do following:
First, extend your User model with a few helper methods or something similar:
class User < ActiveRecord::Base
def is_admin?
is_type?("admin")
end
def is_editor?
is_type?("editor")
end
def is_whatever?
is_type?("whatever")
end
private
def is_type? type
self.roles.map(&:name).include?(type) ? true : false # will return true if the param type is included in the user´s role´s names.
end
end
Second, extend your ability class:
class Ability
include CanCan::Ability
def initialize(user)
if user
can :manage, :all if user.is_admin?
can :create, Project if user.is_editor?
can :read, Project if user.is_whatever?
# .. and so on..
# you can work with your different roles on base of the given user instance.
end
end
end
Alternatively you could remove your User-Roles has-many-through associations and replace it with the easy-roles gem - very useful. It is available on github: https://github.com/platform45/easy_roles
Now you should have an idea how you could work with cancan, roles and all the stuff together :-).
I have a Rails app with three kinds of users, professionals, students and regular citizens. I therefore made the User model polymorphic with three different kinds of profiles.
User.rb
belongs_to :profile, polymorphic: true
Professional.rb
has_one :user, as: :profile, dependent: :destroy
Student.rb
has_one :user, as: :profile, dependent: :destroy
Citizen.rb
has_one :user, as: :profile, dependent: :destroy
I want to use Devise as central sign up and created the devise for the User model
rails generate devise User
and then I created a Registrations controller that inherited from Devise Registrations controller, and in the after_sign_up_path_for method, I assigned the user to whichever of the profiles the user selected on the signup form.
class RegistrationsController < Devise::RegistrationsController
protected
def after_sign_up_path_for(user)
if user.professional === true
user.profile = ProfessionalProfile.create!
user.save!
elsif
....
end
end
Right now, this works, in that, by overriding the def after_sign_in_path_for(resource) in the Application controller, I can redirect users to whatever profile they created
def after_sign_in_path_for(resource)
if current_user.profile_type === 'ProfessionalProfile'
professional_profile_path(current_user)
elsif
....
end
However, even though this works, I have very little experience with Rails (in terms of making my own application; i've followed a few tutorials) and devise, so I'm wondering, before I continue on developing the app, if I'm going to run into problems either with devise or anything else by having created profiles that way. Is there a better way to do this?
I guess as one possible alternative I was wondering if I should try to override Devise's create user action, so that it creates the relevant Profile at the same time.
You can add columns to the user table by using the code:
rails generate migration add_professional_to_users professional:boolean
and similarly
rails generate migration add_student_to_users student:boolean
and also
rails generate migration add_citizen_to_users citizen:boolean
this is a better method according to me as a similar method is described by devise to create an admin, see it here :devise,option1
Similarly you may add these roles. Just an option but one that I feel is better.