Rails User tracking activity - ruby-on-rails

I want to track user activity on site. I tried ActiveSupport::Notifications but hasn't user_id or something to define a user. As I see, there are 2 ways to do this: through ActiveRecord queries, and through Page Requests. In the first case I should subscribe to all possible user actions with model (after_create, after_destroy etc.), and I have about 20 associated models, that is a lot of duplicate code. The second - I don't know how to do this, but it's seems simply to me.
I'm not using Device or any gem.
Perhaps in the first way, I could include module and make all logic in it, but It's not working.

The problem was solved by adding before_filter :track_activity in ApplicationController, ti calls every time when user enter any page.

Related

Public Activity - show only activity about self created objects

I followed Ryan Bates Tutorial on Public Acticvity. I'm trying to show ONLY notifications about objects the current_user owns.
In my Situation => Comments.
my Activities Controller
class ActivitiesController < ApplicationController
def index
#activities = PublicActivity::Activity.order('created_at desc').where(owner_id: current_user.following_users, owner_type: "User")
end
end
I'm using current_user.following_users to get all followed Users. To get activity if they Upload a Picture.
AT THIS POINT: Activities are shown from all followed User's, and THATS the problem.. All activities.
I want to show only activities that concern the current_user, only activities about his own objects.
For example.
current_user Uploads a Picture, UserX comments on this Picture. I want the Notification.
UserX comments on a Picture from UserY. I don't want this notification.
For now if current_user follows UserX, i'm getting all the notifications from UserX's Activities, and not only the notifications that concerns the current_user.
But i'm completely clueless on how to achieve this. Has anyone some helping hand unoccupied ?
I found a pretty similar problem, but i don't understand the Answer -> Using public_activity with acts_as_follower and devise, how can I show only the user's activities and those of the people he follows?
Another one: Rails getting activity feed that only involves current_user
I think the feature you asked is a bit beyond the scope of general activities, but rather like notifications.
The "recipient" solution should be able to solve this exact problem. But you may still want the owner to show this activity, as well as the current_user. If so you need to create two activities and there needs workaround not to show them all in public. So, this may work, but duplicate record and extra code.
A better logic may be to process activities after created, judge the logic, and send notification, either on request or backend(better).
Notice: Sharmeless ad below :)
I have similar concern before and found it hard to reuse Public Activity's activity records again for other purpose. So I made a gem simple_activity which is even simpler on displaying activities but open the door to reuse them again. This gem is still at very early stage so be cautious. Check it if it helps.

Rails 4 proper way to prevent wrong user creating likes

I tried to find this on google but can't seem to find anything on this. I have a model called Likes, along with a controller which simply belongs to an Event and a User. I would like to prevent people from creating a Like when they're not logged in, and not allow them to create a like for another user. What is the proper way to do this?
Thank you
When you have a user based system, all queries related to user-owned data need to include the user, or originate from it. Most authentication systems have a helper to get the current user, often called current_user.
Assuming some things about your model, for "liking" an event, you could do it a couple ways:
current_user.likes.create(event_id: params[:event_id])
Like.create(event_id: params[:event_id], user: current_user)
Validations can help as well, making sure event and user IDs are always present. If no user is logged in, this should make it fail, assuming someone guessed the path to try and manually create a like.

Keeping POST data during sign up with Devise

I might be approaching this problem the wrong way ... so if you have a more elegant solution I'm all ears.
Imagine I'm making a system like Kickstarter. I want my users to be able to specify how much they want to pledge before I ask them to sign up.
Then, if they're not registered I need them to sign up before putting them back in the flow that they would have been on had they just signed in. Devise makes this easy by redirecting a user back to the after_sign_up_path_for which ends up being after_sign_in_path_for by default.
So this will always issue a GET request. But if I have data that I received from the POST with the amount they wanted to pledge, but that's lost.
Is the only way to do this to store that posted data in the session? Or is there a clever way to start creating the pledge record without the user (without needing to run jobs to destroy orphaned pledge records)?
I found the approach described in this blog post over at highgroove.com quite interesting in this regard: 
http://highgroove.com/articles/2012/10/09/lazy-user-registration-for-rails-apps.html
The basic idea is to always have an anonymous user at hand, even if the current vistor is not registered. Like this you can create e.g. associations as usual and — once the visitor actually does sign–up — you edit the user rather than all associated objects.
If the user does not ever register, you can simply look for abandoned user accounts and delete them including their associations, rather than look for all kind of abandoned models.

Implementing Reservation System Using Ruby on Rails

Build a restaurant reservation system with the following function:
Here's the list of prioritized functions:
Restaurant Owner
can set number of tables (assuming all 4 seating per table)
can review current reservation,
reservation older than 2 hours are automatically cleared
can add reservation done over phone for given day/time
can remove reservation
can update reservation done over phone
Customer
can review number of available table for day / time
can add reservation for day / time, get confirmation number
can cancel reservation with confirmation number
can update reservation with confirmation number
I am completely new to ruby on rails, I just need a simple hint on how to get started and what should be my approach for this problem?
Start by defining the models (entities), their properties, and how they relate to each other. Next, figure out what functionality needs to be exposed to the front end.
(Those steps can occur in either order, or, more realistically, each will affect your thoughts about the other, so it bounces back and forth as you iterate over the various things the system must handle.)
Expand the user stories you have above with conditions you'll encounter and how you'll know it's done. Rails makes it easy to get starting building up preliminary functionality--don't get hung up with how it looks at first, just make sure you can actually do what you need to.
You'll also need a user authentication/authorization system; I recommend using an existing one like authlogic or devise. Whether or not you need something like cancan for authorization I don't know; but you'll need some way of making sure people can only see what they're supposed to be able to.
You'll also need something like eventmachine for sweeping away old reservations (man, in NYC if you're like 10 minutes late, you're outta there!) but take things a step at a time--first just implement the sweeper as a manual process to get the logic worked out.
Good luck!

Best approach for a secure Rails 3 MultiStep Order Form without authentication

Right, im building an order form for a site that doesn't require any kind of user signup or authentication. The form has three models: Order, OrderImage, Print. An order form has many OrderImage's and an OrderImage has many Prints.
A user requires the ability to Upload images (OrderImage's) with their order and also the ability to go back and edit each OrderImage before the Order is confirmed and submitted.
The form is multistep and made up of four stage:
Upload Images
Review Uploads
Your Details
Confirm Uploads
This is fine and everything is working as planned and data is stored to the database throughout the Order process as the user enters more details or uploads more images.
However, this means URL's such as "/upload?order=5" exist which isn't good. Because there is no authentication this means anyone could potentially guess the URL of an Order and change it.
So i'm just wondering what the best way of managing this process is? I've got a couple of ideas in mind, but not sure if any of them are the best solution for the problem:
Generate a random order number within 6 digits for example so the url would be more like: "/upload?order=645029". This would result in there being less chance of someone guessing an order number, but really not very secure still.
Combining the above idea with a status on the order, such as "Complete". So when an Order is finally submitted, it is marked as complete. I could then prevent any "Complete" orders from being accessed again. However, during the Order process, the order number could still be guessed and tampered with.
Making use of the session and storing the order number here instead of in the URL, or as a hidden value in the form.
I have watched Ryan Bates' Railscast on Multistep forms in which he stores data in the session. However, Ryan himself concedes that storing complex Models and objects this way isn't practical.
So any suggestions on the best way for handling a non-authenticated order form would be much appreciated, thanks.
I would go with option #3. You're right that it's not good to store complex objects in the session, but all you need to store is the ID number of the order, then you can look it up in the database. You can use a before_filter to ensure that the requested order belongs to the current user:
class OrdersController < ApplicationController
before_filter :check_ownership, :except => [:new, :create]
private
def check_ownership
redirect_to '/' unless params[:id] == session[:current_order_id]
end
end
This example could easily be extended later to allow users with accounts to view their order history (rather than just the current order). Options #1 and #2 are only masking the problem, and would probably be more difficult to extend later.
I hate to respond with a question... but: How does a user find his order when he come back to the site later?
Without registration, you have to find a way to associate a User with the order!.
I can't see how you could do that securely, whitout at least asking him a unique username.
But then, anyone would be able to guess this username and get to the order!.
I would say, if you don't want authentication... then you should not care that other user see orders of anyone!
If this is a problem, you will need a simple form of auth.

Resources