Rails basic authentication [duplicate] - ruby-on-rails

I am relatively new to rails and right now I am developing a simple log in log out system.
In my app when I log in the URL generated is:
localhost:3000/user/index/7
When I log out I get back to the root. But if copy this URL and paste it in another browser window i get instantly logged in without being directed to the log in form. How to correct this issue.
I tried to store user id in session hash and then upon logout i have set user id in session to be nil. But that does not work. Help needed.
Edited:
In my Home controller
class HomeController < ApplicationController
def signin
user=User.find(:all,:conditions=>["user_login=? AND user_password=?",params[:user] [:username],params[:user][:password]);
if user!=nil
session[:user_id]=user.user_id;
redirect_to({:controller=>'user'})
end
end
end
In User controller i have a logout method:
def logout
session[:user_id]=nil;
redirect_to({:controller=>'home'});
end
My routes.rb file looks like this:
ActionController::Routing::Routes.draw do |map|
map.root :controller => "home",:action => "index"
map.connect ':controller/:action/:id'
map.connect ':controller/:action/:id.:format'
end
Edited:
I have solved this issue I was not checking id value in session hash in User controller index method. But I have another question If i have an app in rails 2.3.17 and I want to shift it to latest version how much changes will I have to make

You can set before_filter for those actions in the controller. using that before_filter you can check session is nil or value is present.
Otherwise you can follow this railscasts video
http://railscasts.com/episodes/250-authentication-from-scratch

This is the default behavior of the basic authentication. Once you get logged in, all your credentials are stored in the session headers which is maintained by the browser. If your clear your cache, then it should prompt for the password again....

I really recommend to use an existing authentication systems, like https://github.com/plataformatec/devise
On this site you can easily get an overview about other existing systems, and of there popularity and development activity.
https://www.ruby-toolbox.com/categories/rails_authentication
You really don´t have to program such stuff by yourself, but if you really like to do it, maybe this could also helps you: http://railscasts.com/episodes/250-authentication-from-scratch-revised. But I recommend devise absolutely.

I think you are trying to reinvent the wheel here. You can use has_secure_password inside your User model and generate a sessions_controller to handle the create and destroy. the methods are basically the same, but with the has_secure_password flag. You should then take care of destroying the session properly.

Related

Newbie with Rails devise and view of the user

I'm looking into RoR some way to: login into the system with DEVISE, (it's working), but i'm needing something than keeps always the view of this logged user, and avoid than this user looks another views.
http://xx.xx.xx.xx:3000/user/1
And this user cannot look the content of:
http://xx.xx.xx.xx:3000/user/2.
Please, sorry if this is a silly question, but, i was looking 2 days and i don't know how i can name this feature.
Thanks!
There are gems available for this Authorization. I prefer can can which is one of the best Authorization gems available
Here is the gem=> https://github.com/ryanb/cancan
And here is the rails cast tutorial using it=> http://railscasts.com/episodes/192-authorization-with-cancan
EDIT: If you want to manually implement this then you just need to make a method with following logic
def check_authorization
# Assuming user ID is coming in params[:id]
if current_user.id == params[:id]
return
else
# render or redirect to some page with access denied message
end
end
And call this method just before any action in which you want to check for authorization.

Redirect_to with variable fir destination link

I have a site where you can enter the name of a business after the domain and if it exists it is displayed. E.g. www.mysite.com/BUSINESS_NAME. I do this through a route:
match ':id' => 'businesses#show', :via => [:get]
It essentially means that a new custom URL is created for each new business that signs up. At the moment each time a new business is created (create form submitted) I am redirected to something like
http://localhost:3000/businesses/42
This is expected as I use:
redirect_to #business
How am I able to redirect to the newly created business and make the URL look like
www.mysite.com/BUSINESS_NAME instead of http://localhost:3000/businesses/42
I thought about making logic in the show action that would work for either URL request but it doesn't look very nice to the end user seeing an ID - I am sure there is something in Rails to mask this sort of information and still pass the ID parameter.
Thanks in advance for any help.
Yes, you can make the url as user friendly.So user can see the simple url that dosen't use the id.
There is a gem in rails that easily solve your problem.
Friendly_id

Rails authentication issue

I am relatively new to rails and right now I am developing a simple log in log out system.
In my app when I log in the URL generated is:
localhost:3000/user/index/7
When I log out I get back to the root. But if copy this URL and paste it in another browser window i get instantly logged in without being directed to the log in form. How to correct this issue.
I tried to store user id in session hash and then upon logout i have set user id in session to be nil. But that does not work. Help needed.
Edited:
In my Home controller
class HomeController < ApplicationController
def signin
user=User.find(:all,:conditions=>["user_login=? AND user_password=?",params[:user] [:username],params[:user][:password]);
if user!=nil
session[:user_id]=user.user_id;
redirect_to({:controller=>'user'})
end
end
end
In User controller i have a logout method:
def logout
session[:user_id]=nil;
redirect_to({:controller=>'home'});
end
My routes.rb file looks like this:
ActionController::Routing::Routes.draw do |map|
map.root :controller => "home",:action => "index"
map.connect ':controller/:action/:id'
map.connect ':controller/:action/:id.:format'
end
Edited:
I have solved this issue I was not checking id value in session hash in User controller index method. But I have another question If i have an app in rails 2.3.17 and I want to shift it to latest version how much changes will I have to make
You can set before_filter for those actions in the controller. using that before_filter you can check session is nil or value is present.
Otherwise you can follow this railscasts video
http://railscasts.com/episodes/250-authentication-from-scratch
This is the default behavior of the basic authentication. Once you get logged in, all your credentials are stored in the session headers which is maintained by the browser. If your clear your cache, then it should prompt for the password again....
I really recommend to use an existing authentication systems, like https://github.com/plataformatec/devise
On this site you can easily get an overview about other existing systems, and of there popularity and development activity.
https://www.ruby-toolbox.com/categories/rails_authentication
You really don´t have to program such stuff by yourself, but if you really like to do it, maybe this could also helps you: http://railscasts.com/episodes/250-authentication-from-scratch-revised. But I recommend devise absolutely.
I think you are trying to reinvent the wheel here. You can use has_secure_password inside your User model and generate a sessions_controller to handle the create and destroy. the methods are basically the same, but with the has_secure_password flag. You should then take care of destroying the session properly.

How to store where a new user was referred? Using Rails + Devise

I have a rails app that uses devise. I'm curious to know, is it possible in the User table to somehow track where a new user came from, the HTTP referrer?
I'd like to know which came from Facebook, Twitter, LinkedIn, Google+ in order to track a viral loop.
Any ideas? Seen anyone do this? Possible? Where should this live in the rails app? Still very new. Thanks
It could be done like this. May require some tweaking and fixing but You'll get an idea
Make before filter for Application controller, you will call it for any action
def landing_filter
if from_other_site(request.referrer) and !session[:referer].blank?
session[:referer] = request.referrer #you don't want to delete first entrance
end
end
from_other_site should be the method which will check domain name in referrer url, if it match your then return false, otherwise true
in devise/registration/new.erb.html view add in form hidden field
<%= f.hidden_field :referrer, session[:referrer] %>
and don't forget to add migration with new database field for user
Save referer somewhere and after creating a user copy information to user table. Using session to save referer works but permanent cookies are better. Cookies can persist the information even when user closes browser and comes again in the next day.
# so basically in ApplicationContreller using before_filter
def referer_before_filter
if cookies[:referer].blank?
cookies.permanent[:referer] = request.env["HTTP_REFERER"] || 'none'
end
end
# and in signup action somewhere else saving that information
#user.referer = cookies[:referer] # or maybe to some other table
Instead of modifying every action you can also use rails sweepers/observers to handle automatic saving every time an object is created.
A good gem to automatically save referer and other needed information is
https://github.com/holli/referer_tracking . You can choose do you want to save information manually or use sweepers to do saving automatically.

Ruby on Rails: Custom actions

I'm new to rails, so I'll just explain my situation to you:
I've got a User Model and a UsersController. Users log in with their email address and a password. Special users can invite other users, by typing the email address of the invitee into a form and hitting submit. The invited user then receives a mail containing a link to activate his account, by entering his password for the first time.
Here's the problem:
The "invitation" form is mapped to the create action of my UsersController atm. But what do I map the "activation" form to?
Is it possible for me to define a custom action "activate" or something that can be accessed like /users/3/activate (of course, there should be some authentication token here too...) and would activate the user with id 3?
I've found some stuff on custom actions, but I don't quite get the hang of it yet.
Thx for any help
You probably have something like this in your routes file. (If not, please post that.)
resources :users
If you want to add a custom action that acts on a single User, you can add that as a :member like this.
resources :users do
member do
get :activate
end
end
Note that using a get for something that modifies data is a bit wrong, but you're talking about hitting this from a link in an email.
As you play with routes don't forget that rake routes will show you all of the routes that you currently have available to you.

Resources