Im using devise token auth (which inherently just uses Devise) and I'm trying to modify the resource object before it gets saved upon user registration. The create method, as defined in the source and explained in user documentation has a yield resource if block_given? line, yet, the following code doesnt work as expected
class RegistrationsController < DeviseTokenAuth::RegistrationsController
def create
puts "this works"
super do |resource|
puts "this doesnt work"
end
end
end
Any idea why?
https://github.com/lynndylanhurley/devise_token_auth/blob/master/app/controllers/devise_token_auth/registrations_controller.rb
This base controller doesn't have block invocation.
Probably you meant https://github.com/plataformatec/devise/blob/master/app/controllers/devise/registrations_controller.rb
It has block invocation, but it'll not work, because DeviseTokenAuth::RegistrationsController will not pass block to it.
You need some other way to achieve what you want.
Probably paste code from DeviseTokenAuth::RegistrationsController to your custom controller, or fork DeviseTokenAuth gem and patch it.
Don't forget to make PR
Related
Is it possible to access controller parameters when defining abilities in ability.rb?
I have an event and users that can participate in or create that event. It seems like I could create a different controller action for every possible scenario, e.g. a user signs himself up for an event or a creator deletes someone from the event. However I think it would be a lot easier to read to have less actions and be able to define abilities based on what parameters are being passed in from the client.
Answer
#chumakoff has some good info down below that helped explain how CanCanCan is working. I decided to authorize these actions by default in ability.rb, and then raise an error, e.g. raise CanCan::AccessDenied.new("You cannot delete someone else from this event"), in the controller if I detect incorrect user/event parameter IDs being sent in.
If I understand correctly, you are using cancan's authorize_resource or load_and_authorize_resource controller helper that calculates user abilities based on controller actions names.
But it's not obligatory to use this helper for all actions. You can skip it for actions having complex ability logic and check abilities manually.
For example:
class ParticipationsController < ApplicationController
authorize_resource except: :create # skiping `authorize_resource` for `create` action
# ...
def create
if creator_adds_someone_to_event?
authorize! :add_to, #event
end
if user_signs_up_for_event?
authorize! :sign_up_for, #event
end
# ...
end
So, you can check many different abilities in the same controller action. Just disable default cancancan's behaviour for the action.
Yes there is a debugging tool Named as " pry" . Use that it would help u out. Just use binding.pry wherever u want to check the value of parameters in the code and the console will stop executing at that moment so u can check the value of the parameters.
I'm trying to get cancan incorporated into my first ever Ruby on Rails app.
I'm having a problem getting started... its surely something basic.
My application has a list of projects, and a user may or may not have permission to see any number of them.
I added this to my ProjectsController:
class ProjectsController < ApplicationController
load_and_authorize_resource
My initialize method looks like this:
def initialize(user)
user ||= User.new # guest user
puts "******** Evaluating cancan permissions for: " + user.inspect
can :read, Project do |project|
puts "******** Evaluating project permissions for: " + project.inspect
# project.try(project_users).any?{|project_user| project_user.user == user}
1 == 1 #POC test!
end
end
When I have this, the project index page appears, but no projects are listed.
2 questions I have here:
Shouldn't all of the projects appear since true is returned for all
projects?
The second puts statement is not written to the rails
server console, but the first one is. Why is that???
If I change the initialize method to:
def initialize(user)
user ||= User.new # guest user
puts "******** Evaluating cancan permissions for: " + user.inspect
can :read, Project
end
... I see all of the projects as I would expect
If I remove the can :read, Project line, I get a security exception trying to hit the projects index page.... also what I'd expect.
The block being passed to the :read ability is only evaluated when an instance of the project is available (#project). Because you are talking about the index action, only the collection is available (#projects). This explains why your second puts statement is never appearing. In order to limit your index actions, you need to either pass a hash of conditions into the can method, or use a scope (in addition to the block). All of this information is clearly outlined in the CanCan wiki on Github.
So the puts problem is explainable. What does not make sense is how no projects are showing. When evaluating the index action, CanCan will actually default to ignoring the block entirely. This means that your ability is essentialy can :read, Project anyway (even in the first example) for the index action.
I would be interested to have you try to add a simple scope, just to see if it will work. Try:
can :read, Project, Project.scoped do |project|
true
end
And then see what happens for the index action.
edit:
Given that you can see the projects in the index now, it seems like you need to pass a scope into the ability as well as a block. Please read this Github issue where Ryan explains why the block is not evaluated on the index action.
Blocks are only intended to be used for defining abilities based on an
object's attributes. [...] That is the only case when a block should
be used because the block is only executed when an object is
available. All other conditions should be defined outside the block.
Keep in mind that if your ability is not too complex for a hash of conditions, you should use that instead. The hash of conditions is explained on this CanCan wiki page on Github. If you do need a scope, you will need to pass in the scope and the block. Lets say you have the ability shown above.
On the index action, CanCan will disregard the block because a Project object (#project) is not available. It will instead return projects that are within the scope given, in this case Project.scoped (which will just be all projects).
On the show action, #project is available, so CanCan will evaluate the block and allow the action if the block evaluates to true.
So the reason you need to pass both is so that CanCan can handle both the index and show actions. In most cases, your block will define the same thing as the scope does, only the block will be written in Ruby while your scope will be written Rails' ActiveRecord syntax. You can fine more information about here: Defining Abilities with Blocks.
I have a situation where i need to prevent users from explicitly calling say /town/addBuilding. Town is my controller and addBuilding is the action that is executed.
Now, the thing is that this action should only be executed in my program's code and not by a user requesting to execute it. Moreover, this action is executed like a callback. In my application_controller, when some condition is met, the controller action is triggered and there is a redirection. In php, a simple guard like defining a guard and checking against it would be enough. Is there an equivalent thing in rails and if so, what is the best way to implement it ?
Thanx for reading and i appreciate your help :)
EDIT: I'm pasting some code to make it clearer, note that /town/addBuilding was an example, the controller names and actions below are differently named.
Now, that is the actual application controller code, it is part of a browser game that i'm coding.
def checkQuest
if TavernQuest.hasQuest(current_user)
quest = TavernQuest.getQuest(current_user)
if quest.end_time < Time.now # get quest info and check if the quest has been completed
TavernQuest.deleteQuest(current_user)
redirect_to :controller => 'tavern', :action => 'monsterAttack'
end
end
end
The tavern controller action is just the plain code that i want to execute, but only if the redirection happens inside the application controller.
It seems that you are trying to put logic into a controller which actually should belong in a model or a library.
Why do i say this: aside from the current_user and the redirect, all the code is more related to your model (where the knowledge should be) and not your controller. Your model knows when a user's quest is expired.
Example implementation:
class TavernQuest
def self.user_quest_is_expired?(user)
quest = getQuest(current_user)
if quest && quest.end_time < Time.now
TavernQuest.deleteQuest(current_user)
true
else
false
end
end
end
and in your controller you just need to write
redirect_to :controller => 'tavern', :action => 'monsterAttack' if TavernQuest.user_quest_is_expired?(current_user)
Put the addBuilding method under a line that starts with protected, as follows
protected
def addBuilding
#your code
end
Enjoy!
EDIT: In addition to this you might also wanna use the before_filter in your controllers... I'll post the exact syntax soon.
before_filter :addBuilding, :only => :method_name
method_name is the method from which :addBuilding can be accessed, no other method can access this method after adding in this line..
EDIT: Ok, so based on the info you provided, protected wont work since if we put your secret action under protected only the tavern controller will have access to it.
EDIT: Please consider using Sessions to check if the users have a valid session when they try to to execute the monsterAttack action..
I am using Devise on Rails and I'm wondering if there is a hook or a filter that I can use to add a bit of code to Devise's user registration process and send a welcome email to the user after an account has been created. Without Devise it would be something like this...
respond_to do |format|
if #user.save
Notifier.welcome_email(#user).deliver # <=======
...
The next most popular answer assumes you're using using Devise's :confirmable module, which I'm not.
I didn't like the other solutions because you have to use model callbacks, which will always send welcome emails even when you create his account in the console or an admin interface. My app involves the ability to mass-import users from a CSV file. I don't want my app sending a surprise email to all 3000 of them one by one, but I do want users who create their own account to get a welcome email.
The solution:
1) Override Devise's Registrations controller:
#registrations_controller.rb
class RegistrationsController < Devise::RegistrationsController
def create
super
UserMailer.welcome(resource).deliver unless resource.invalid?
end
end
2) Tell Devise you overrode its Registrations controller:
# routes.rb
devise_for :users, controllers: { registrations: "registrations" }
https://stackoverflow.com/a/6133991/109618 shows a decent (not perfect) answer, but at least better than ones I'm seeing here. It overrides the confirm! method:
class User < ActiveRecord::Base
devise # ...
# ...
def confirm!
welcome_message # define this method as needed
super
end
# ...
end
This is better because it does not use callbacks. Callbacks are not great to the extent that they (1) make models hard to test; (2) put too much logic into models. Overusing them often means you have behavior in a model that belongs elsewhere. For more discussion on this, see: Pros and cons of using callbacks for domain logic in Rails.
The above approach ties into the confirm! method, which is preferable to a callback for this example. Like a callback though, the logic is still in the model. :( So I don't find the approach fully satisfactory.
I solved this by using a callback method. It's not the cleanest of solutions, not as clean as an observer, but I'll take it. I'm lucky Mongoid implemented the ActiveRecord callbacks!
after_create :send_welcome_mail
def send_welcome_mail
Contact.welcome_email(self.email, self.name).deliver
end
I would recommend using a ActiveRecord::Observer. The idea with the observer is that you would create a class with an after_save method that would call the notification. All you need to do is create the observer class and then modify the application configuration to register the observer. The documentation describes the process quite well.
Using the observer pattern means you do not need to change any logic in the controller.
Since a yield has been added to the Devise controller methods a while back, I think this is now probably the best way to do it.
class RegistrationsController < Devise::RegistrationsController
def create
super do |resource|
Notifier.welcome_email(resource).deliver if resource.persisted?
end
end
end
I'd like to be able to dispatch from one controller action to another conditionally, based on a combination of query parameters and data in the database.
What I have right now is something like:
class OldController < ApplicationController
def old_controller_action
if should_use_new_controller
new_params = params.dup
new_params[:controller] = "new_controller_action"
redirect_to new_params
return
end
# rest of old and busted
end
end
class NewController < ApplicationController
def new_controller_action
# new hotness
end
end
This works just fine, but it issues an HTTP redirect, which is slow. I'd like to be able to do this same thing, but within the same HTTP request.
Is there a clean way to do this?
Edit: The bounty will go to someone who can show me a clean way to do this that leaves the controllers and their actions relatively untouched (other than the redirect code itself).
Instead of calling code across actions, extract the code to lib/ or something, and call that code from both controllers.
# lib/foo.rb
module Foo
def self.bar
# ...
end
end
# posts_controller
def index
Foo.bar
end
# things_controller
def index
Foo.bar
end
Create an instance of the controller class:
#my_other_controller = MyOtherController.new
Then call methods on it:
#my_other_controller.some_method(params[:id])
I prefer the module idea, but this should do the trick.
You can also pass parameters as a whole from another controller:
#my_other_controller.params = params
I suspect you want option 3, but lets go through the some alternatives first
Option 1 - Push the controller selection logic into a helper that inserts the right link into your view. Benifits - controllers remain clean, Cons - if decision logic depending on submitted values this approach won't work. If URL is being called by external websites then this won't work.
Option 2 - Push the logic back into your model. Pro's - keeps controller clean. Cons - doesn't work well if you've got lots of sesson, params or render / redirect_to interaction.
Option 3 - Stay within the same controller. I suspect you are trying to replace some existing functionality with some new functionality, but only in some cases. Pro's - Simple and have access to everything you need. Cons - only works if it makes sense to use the same controller i.e. you're working with the same entity such as user, place or company.
Lets look an an example for option 3. My links controller has totally diferent behavour for admins than other users ...
class LinksController < ApplicationController
#...
def new
#Check params and db values to make a choice here
admin? ? new_admin : new_user
end
#...
private
def new_admin
#All of the good stuff - can use params, flash, etc
render :action => 'new_admin'
end
def new_user
#All of the good stuff - can use params, flash, etc
render :action => 'new_user'
end
end
If two controllers are trying to do the same thing, there's a very good chance this should be in a model. Take a good look at your design and -- I'm sorry I don't know your experience level with MVC -- read up on thin controller techniques:
http://weblog.jamisbuck.org/2006/10/18/skinny-controller-fat-model
http://www.robbyonrails.com/articles/2007/06/19/put-your-controllers-on-a-diet-already
http://andrzejonsoftware.blogspot.com/2008/07/mvc-how-to-write-controllers.html
If the problem is that you need the other controller to do the render, then maybe the route should have pointed there to begin with, and still the skinny controller technique should save the day.
If extracting the common code between controllers into a module doesn't work for you, I would use Rack middleware. I haven't seen code that uses ActiveRecord within middleware but I don't know of any reason why it shouldn't be possible since people have used Redis and the like.
Otherwise I think your only option would be to restart processing of the request with something like (untested, pseudo example):
env['REQUEST_URI'] = new_controller_uri_with_your_params
call(env)
This is similar to how integration tests are implemented. But I don't know if everything from call until you hit a controller is idempotent and safe to rerun like this. You could trace through the source and see. But even if it's ok now, it might break in any future version of rails or rack.
Using middleware would avoid this by letting you intercept the request before it's been run. You should still be able to share code with your rails application by extracting it out into common modules included in both places.
Honestly I think just doing the simple thing of factoring the common controller code is likely cleaner, but it's hard to know without the details of your situation so I thought I'd go ahead and suggest this.
Do this:
class OldController < ApplicationController
def old_controller_action
if should_use_new_controller
new_controller_action
end
# rest of old and busted
end
end
and the new controller
class NewController < OldController
def new_controller_action
# new hotness
end
end