I am having trouble understanding how to craft a Rails application that follows the following scheme:
The site is composed primarily of 'protected' interior paths which require the user be authenticated, in addition to one or two unprotected 'static' pages and a login page served directly from '/' (root_path).
I want users to generally follow the flow that they log in by going to root_path, and any attempt to access a protected page while unauthenticated sends them back to root_path. When the user logs in on the form in root_path, they get sent to home_path (even if they had been sent to root_path via some other page's protection - ie., no smart forwarding. I may add that later.)
Additionally, trying to browse to root_path while already authenticated should immediately forward the request to home_path. home_path's page will include a link to log out, the effect of which should immediately send the user to root_path.
My question:
What would the routes.rb entries look like to set this up? Assuming I have a Users controller and a Sessions controller, and assuming that I already have command-line authentication (via the irb console) working, what is the correct combination of routes and controller methods that gets this system working? I'm very confused!
In case it helps, here is what I have so far, but I'm so lost that I can't even get this in to a working state to test it.
I have a routes file that looks like:
MyAppRails::Application.routes.draw do
resources :sessions, only: [:new, :create, :destroy]
root to: "sessions#new"
match '/signout', to: 'sessions#destroy', via: :delete
match "/home" => 'users#home'
end
The UsersController only has a home method, and the SessionsController has new, create, and destroy methods.
I'm particularly stuck in that I don't know where to send the sign-in form to - I figure it should point at sessions#new somehow but I don't really get how that works.
Thanks.
You shouldn't need to change your routes, as a before_filter should be placed in each controller where you want to restrict access to logged in users. A :login_required method could be called to check if a user is logged in, otherwise, redirect them to your public page.
Generally, I keep the root as a separate controller, site_controller, or something similar. I also make my login path sessions#new and use my before_filter methods to manage redirecting guests that haven't logged in.
This thread may help you.
Related
I am trying to add a URL parameter to my /sign_in route using the Devise gem in Rails 4. I have before_filter :authenticate_user! in my application_controller.rb.
I am wondering where exactly the redirect happens if the user is unauthenticated. I need to add a parameter at this point so I can make some customizations to the resulting view. I have tried overriding the authenticate_user! method and adding my own redirect_to if the user is not signed in but then I get a too many redirects error since, as I said, this method is in a before_filter and is firing more than once.
Does anyone know where I can access this redirect URL?
I have 2 or 3 instances where I want to encrypt pages in my Rails app:
User and password creation (possibly login as well)
Credit card subscription page
The user creation part is absolutely necessary to encrypt, for the password. The credit card page is actually only necessary from a "feel good" standpoint for conversions. Since we use Stripe, their JS API is served only over SSL and that traffic is always encrypted. So we never get those credit cards. But I still need to give the user the good feeling.
What I have gathered so far from documentation is that I will need to use the force_ssl method in the appropriate controller. And I can use :except or :only just as I do with a before_filter.
I know I will need to use the :new action, but do I also need to specify :create?
Here's what I'm starting with:
force_ssl unless Rails.env.development?, only: [:new, :create]
You should use force_ssl for the :create action, this will encrypt all parameters posted to your controller action.
If you really want to make the user feel safe, you should also encrypt the login process and encrypt all pages for a logged in user.
please help me
I have created a controller 'users' with a view 'login' with a form to login users, I have changed the routes.rb changing get user/login to post user/login
now when I go to localhost:3000/users/login appears:
Routing Error
No route matches [GET] "/users/login"
Try running rake routes for more information on available routes.
please what should to do to works that page, that problem is because I have changed 'get' to 'post' in the routers, there are something more that I should to add?
When you just go to that url in your browser, the type of request is GET - but, as you said, there's no route for this request now.
POST route will be useful when you actually submit a form on this page - with simple submit (specify method attribute as POST) or AJAX request.
You can use both in routes.rb:
get user/login
post user/login
This means that the controller will recognize requests made using both methods. It is up to your controller logic to sort it out. The get would typically be used to render the login form; post would receive the user's username and password, authenticate him/her, and then redirect to a page for successful login (or unsuccessful, if necessary).
I may spark some controversy by saying this but if you are a beginner and you are looking to make a "serious" web site with user authentication, you may not want to leave anything up to chance and instead use a gem like devise (https://github.com/plataformatec/devise) to do it for you. Some will say that it's better to learn how to do it from scratch first, and there's some sense in that, too.
I am working in a Ruby on Rails project which has implemented authentication mechanism using Devise plugin. I am new to this plugin as well as Ruby. So having a difficulty in fixing a problem in authentications. The problem is, according to current implementation, if a user tries to go access a page in the application without signing in, it redirects the user to Sign In page by saying that he or she should be signed in or signed up before accessing that page. That's correct. That is the implementation that I need. But what happens is, even if a user directly go to the Login page, this error message is shown. That is not required. Because if a user directly accessing Login page, no point of giving an error message.
Any help will be appreciated.
Thank You.
You call devise authenticate_user! where you shouldn't and you do not use require_no_authentication
You must make sure this before filter is called in your sessions controller
prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
these are taken care of in devise's default controllers (e.g, Devise::SessionsController), are you using them?
I want to completely lock down a Rails application, such that all routes which are not explicitly authorized for a particular user role are rejected (403).
I inherited this app, so my understanding of the framework is poor, but it currently seems like I have opposite: everything's open unless I explicitly close it.
I have an authorization_rules.rb file, and I've given the guest role no permissions, yet I can still access pages without being logged in. I think I can go in page by page and make sure a page requires authorization (filter_access_to ?), but I might miss one. How can I just shut everything down, then open access only where I explicitly allow it?
This is using Rails 2.3.5.
Assuming the app uses before_filter to restrict access, you can move the before filter in application controller and skip it for particular actions in individual controllers:
#app/controllers/application_controller.rb
before_filter :filter_access
#app/controllers/your_specific_controller.rb
skip_before_filter :filter_access, :only => [:action1_accessible_by_guest, :action2_accessible_by_guest]