I'm learning Rails 4 and I'm looking to build in some basic admin functionality such as creating and viewing users. I can think of a few ways to do it manually, (such as creating a new controller or adding filters) but I'm pretty sure there's a "Rails Way" to do this easily. I've been digging through the docs and I see references to "built in authentication" that support my hunch, but I can't find the actual documentation.
For example, in CakePHP you can just prefix actions with admin_ and /admin/controller/action will work automatically. Is there a similar convention for Rails? If so, where can I find it?
Update:
As I continue to research this, I start to get the impression that admin authorization in Rails is commonly not handled by the Rails core, but rather in a gem like cancan. Perhaps this is why I was striking out by searching the Rails docs.
Update2:
This question wasn't intended to be a round-up of authorization gems, but since it appears gems are the typical way to handle even basic admin authorization, I'd like to find the simplest, most basic (and hopefully universal) option. A couple options have been proposed below which come bundled with default dashboard views and elaborate configurations. I don't need all that. Just a simple, reliable strategy for dividing users into admins and non-admins with different scopes of allowed actions.
Check out the awesome rails_admin gem. It automatically generates just about everything you could need. Very handy and awesome project. https://github.com/sferik/rails_admin
Authentication is handled via the devise gem and authorization via cancan.
It's no replacement for custom admin functionality if you have very specific requirements, but it's great for general admin tasks you described.
Related
I have an existing rails app with Mongo DB.Currently the app can be accessed by anyone that is every method in Portfolio controller and customer controller. Now I want that Portfolio controller should only be accessed by sign in user. How can I do that. I tried using active_admin but was unsuccessful.
You're looking for User Authentication. Try any authentication plugin like Devise or Clearance to sign in and distinguish individual users (more options here) or, even better at first, try building your own authentication solution alongside some of these excellent RailsCasts on User authentication (the paid episodes are totally worth it!). You'll learn how the different moving parts fit together real quick.
You might also want to consider using the Sorcery (https://github.com/NoamB/sorcery) gem as another option. It has links to the railscasts on the github repo there which helped a lot, and myself as a beginner found the wiki to be incredibly in-depth. Super easy to use.
I have a Rails app that I need to put access control on. (Some pages can be accessed by everyone, some pages can only be accessed by certain LDAP groups of people, etc.) What's the best way to handle this access control?
One way is to have a before_filter in all of my controllers that checks, for each action, whether the user belongs to an LDAP group authorized for that action. (But this seems possibly messy.) Is there a better way?
You should do this kind of thing with a authorization mechanism.
CanCan is really popular, and also quite simple: https://github.com/ryanb/cancan
You can find other gems for handling authorization here: https://www.ruby-toolbox.com/categories/rails_authorization
I highly recommend reading this book if you're new to Ruby On Rails. The section that talks about exactly what you need is here.
As far as I know, the before filter works perfectly, and isn't messy because it's handled in the controller for the page.
I've been using rails for a while and have used restful_authentication for user logins for the past few years. However this doesnt seem to be getting maintained any more, so was thiking it is time to move to another plugin.
Does anyone have any suggestiosn on what I should be using / is the most popular these days.
Only requirments I have are
It needs to work with rails 3
It needs to work with a model called Client instead of the standard User model.
Thanks,
Jon
Checkout Devise, it's still maintained and there are a lot of support resources out there. It also has extendable plugins, so you can authenticate with Twitter, Facebook, or really any OAuth2 solution
Here are a few:
http://railscasts.com/episodes/209-introducing-devise
http://railscasts.com/episodes/210-customizing-devise
http://www.kiwiluv.com/techblog/?p=397
Have a look at Devise:
http://github.com/plataformatec/devise
Jon,
If you decide to go with Devise, note that you can manually override the default user class during installation. (The default is "User".) IMHO you're correct in that Devise seems to generally be maintained more, especially compared to restful_authentication. If you're torn between the two for your Rails 3 app, I'd recommend giving Devise a shot first.
I am building a project management app and I am not sure which is the best/correct authorization model to implement given I am new to Rails (and programming in general). Here is what I am trying to do.
I want to be able to add a "client" to the application and then multiple projects to a client. I would like to be able to add users (that are essentially representatives of the client) to view that clients multiple projects but not other clients. I intend on having controllers for time tracking, notes, comments and images all to be associated with both clients and project of that client.
In addition, I would like to set up the account to control who is able to have one. I don't need the user to establish an account on their own.
Does that make sense?
I believe what you are mentioning is called Authorization not Authentication, anyway:
I would suggest acl9 for authorization and authlogic for authentication.
These (free) Railscasts should give you some food for thought. There are lots of great RubyGems/plugins out there for this sort of thing.
The Ruby Toolbox gives you an overview of tools and their popularity in the rails community (rated by watchers and forkers on GitHub). As you can see there, the suggested plugins restful_authentication and authlogic are almost on the same level.
Restful Authentication is still the golden standard for user authentication in ruby on rails.
I have used Authorization plug-in in the past and like it because it gives some nice meta methods such as:
user.is_eligible_for_what --> returns array of authorizable objects for which user has role "eligible"
user.is_moderator_of? group --> returns true/false
user.is_moderator_of group --> sets user to have role "moderator" for object group.
user.is_administrator --> sets user to have role "administrator" not really tied to any object.
There's also a brand new RailsCast on CanCan.
I'd use AuthLogic for authentication (logging in users and making sure they are who they claim to be) and declarative_authorization for authorization (making sure they have access to resources). See Ryan Bates' excellent Railscasts on AuthLogic and restful_authentication for more info.
I'm looking for a quality Administrative plugin for Rails. It seems that most of the existing plugins/gems (e.g. "restful_authentication", "acts_as_authenticated") revolve around self-signup, etc. However, I'm looking for a full-featured Administrative/Management role-based type of solution -- but not one that's simply tacked on to another non-role-based solution.
If I can't find one, I suppose I'll roll my own...just wasn't looking to re-invent the wheel.
Ryan Bates has recently made two railscasts on authorization (note the difference between authentication and authorization; authentication checks if a user is who she says she is, authorization checks if the user has access to a resource). Episode #188 is on declarative_authorization, which is a really powerful authorization plugin. Episode #192 (sorry, I don't have enough reputation to link to it) is about Ryan Bates' own CanCan plugin, which is a much simpler plugin, but it would still work for most apps.
There are a few out there. I have used:
http://github.com/DocSavage/rails-authorization-plugin/ for applications before in conjunction with restufl_authentication, but I believe it will work with any authentication that gives you a current_user method. On github there is also http://github.com/mdarby/restful_acl/ and http://github.com/danryan/role_model/, they are just role based stuff though I'd say not authentication as well.
The authentication and the access control role based stuff are all available as seperate plugins/gems to the best of my knowledge, and that's a good thing as they are different beasts. Not all apps that have authentication need to have ACL type stuff and even some that do only need a really simple am I an admin kind of thing rather than a full blown user roles thing. So I'd say if you want one that does it all you'll have to write, if you don't want to do that than I'd say a combination of either Authlogic or restful_authentication with on of the authorization plugins will do the trick quite nicely.
You might check out the links in "Which Rails plug in is best for role based permission?".
None of the solutions listed there seem very appealing to me. The top contender, role_requirement apparently requires restful_authentication, but I find AuthLogic much better designed and less intrusive. The others listed seem to not be very actively maintained.