I have a controller which inherits from Devise::RegistrationsController. I have added a show action to the controller. The problem is that even when the user is logged out they can access this action even though at the top of my controller I have:
before_filter :authenticate_user!, :except => [:new, :create]
Why isn't authenticate_user! disallowing access to my show action?
I tested this with one of my application. The filter authentication_person! (it's person in my case) works well for all other controllers but doesn't work for controller inherited from Devise::RegistrationsController. This may be an issue or limitation with devise. Needs to be added to issues discussion at github.
The other workaround can be to create a filter method should_be_logged_in? into the application controller and then checking for person_signed_in? helper and redirecting accordingly.
Might be an issue with auth scope..
try adding the following to you controller:
prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy, :show]
Related
I have a problem with the gem rails4-autocomplete. This works perfectly but since I have installed Devise for users I need to be connected to use autocompletion otherwise it does not work.
Indeed, if I withdraw the "Before_action: authenticate_user!" in the application_controller.rb, it works but I can not remove it.
How to skip authentication on rails4-autocomplete as on a method like to skip
authentication on index and show
Skip_before_action: authenticate_user !, only: [: index,: show]
How can I make it?
You might have figured this out by now, but the secret to your question is to run
rake routes
You'll notice that there is a named route created for your autocomplete. Then you'll just whitelist that method name (which you'll glean from the routing table)
So take a look at the routes, the one with "autocomplete" at the front of it is the one you need.
Then in the controller where your autocomplete is processed add a whitelist for devise if its on that action, like so:
skip_before_action :authenticate_user!, only [:index, :autocomplete_brand_website]
I threw together an example app that illustrates how this works in its most simplistic form:
https://bitbucket.org/bunglify/so-autocomplete-devise/overview
You can skip before_action on certain actions using except paramether:
before_action :authenticate_user!, except: [:index, :show]
also you can skip before_action that was inherited using skip_before_action in UsersController:
skip_before_action :authenticate_user!, only: [:index, :show]
Having devise_for :users makes all methods of Users controller authenticated by Devise. I'd like to skip a couple of methods e.g users#api, users#do_stuff for making a public API with self-written auth method.
How can I do it?
UPDATE.
skip_before_filter :authenticate_user!, only: [:api, :do_stuff]
still gives me {"error":"You need to sign in or sign up before continuing."}
Try this -
skip_before_filter :authenticate_user!, :only => [:api,:do_stuff]
inside users_controller.rb...add the below lines
before_action :authenticate_user!, :only => [:api, :do_stuff]
i assume that you only want to authenticate on this two method calls in users_controller and not have added any authentication filter in application_controller.
I am new to Rails and I need to create a simple Rails project with these conditions:
there must be page with some articles (title + body)
anyone can read those articles
only authenticated users can create/edit/delete those articles
I used scaffold to generate a controller for articles and the gem Devise to create the authentication system. But I dont know how to implement the necessary conditions.
Thanks for the reply.
If your user model is called user, then you would include the following in your controller:
before_filter :authenticate_user!
If it not called user, you would replace the word user in authenticate_user with whatever it is.
You would add this directly under your controller declaration, like so:
class ArticlesController < ApplicationController
before_filter :authenticate_user!
#rest of code
end
If you want to restrict only certain actions in the controller to logged in users, you can use except to exclude some actions. Here, index and show can be seen by anyone:
before_filter :authenticate_user!, :except => [:index, :show]
or only to include specific actions. Here, only authenticated users can do the listed actions:
before_filter :authenticate_user!,
:only => [:new, :edit, :create, :update, :delete]
I'm wondering if there is a way to whitelist controller authentication using before_filter, also excluding the ones that you may want. Something like that in application controller :
before_filter :authenticate_user!, :except_controller => :home
Is there a way to do that without having to put a before_filter on every controller, which is kinda messy ?
Add this to your Home Controller, to skip authentication on all actions on your home controller.
skip_before_filter authenticate_user!
Put the before_filter in the application_controller. All your other controllers should extend this one (assuming a normal rails setup) and thus inherit the behavior.
Then, put the following in any controller where you want to skip the before filter:
skip_before_filter :authenticate_user!, :only => [:new, :create]
The :only option is, well, optional. Use it specify which methods skip the before filter. If you don't have the :only, then the entire controller will skip the before_filter.
At the beginning of my controller I have filter_resource_access which requires login for all actions on the controller.
However, for one action, I want to have a different authorization mechanism.
There anyway to have a different filter - perhaps a before_filter - for that action only without requiring the login that the parent filter requires ?
For filter_resource_access it looks like you have to change that out for custom before_filters and filter_access_to filters. See here search for 'filter_resource_access'.
You can specify which controller actions a filter applies to. You can either exclude or include actions like so:
before_filter :filter_action, :except => [:index, :edit]
before_filter :filter_action2, :only => [:index, :edit]
Click here for the associated Rails docs. Check out the 'Filter chain skipping' and 'Filter conditions' sections.