Question about simple authorization - ruby-on-rails

I am using Devise for authentication, and I only need a simple admin or use check for a few controllers. I'm new to rails, so I'm trying to do this the right way. I've basically added a boolean admin field to the user model and added this method
def is_admin?
admin == 1
end
Then I simply modified the controller action to this
def new
if current_user.nil? || !current_user.is_admin?
flash[:notice] = "You do not have permission to view this page"
redirect_to "/gyms"
else
#gym = Gym.new
respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => #gym }
end
end
end
So this solution works, but should I be doing this a different way?

This will work but I probably would not recommend this solution for anything else than a small scale project. Over time, if you perform authorization checks within your controllers, your code is going to become bloated and difficult to manage.
Instead I would consider using an authorization module such as Cancan which centralizes your authorization rules in one place and thus decouples your application logic from your authorization logic. The end result is cleaner and more maintainable code.
With Cancan in place, your code might look like this:
# app/controllers/gyms_controller.rb
class GymsController < ApplicationController
load_and_autorize_resource
def new
respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => #gym }
end
end
end
end
# app/models/Ability.rb
can :create, Gym do |trip|
user.is_admin?
end

Related

Rails Authority gem, trouble with 'show' action

It's the first time I'm using this gem and it's driving me crazy with something as simple as authorize the showaction only for the resource owner.
I tried different ways, configuring the controller mapping and actions, but always get the unauthorized message for show, other actions work as they should.
It seems that showis not getting it's way to the ApplicationAuthorizer.
This is how it's configured:
class EnterpriseAuthorizer < ApplicationAuthorizer
# This works
def self.creatable_by?(user)
user.is_enterpriser?
end
# This doesn't
def readable_by?(user)
true # Just for testing
end
end
class EnterprisesController < ApplicationController
authorize_actions_for Enterprise
def show
#enterprise = Enterprise.find(params[:id])
respond_to do |format|
format.html
format.json { render json: #enterprise }
end
end
I have include Authority::UserAbilities in User and include Authority::Abilities in the Enterprise model. And User has_one :enterprise
Any idea? Thinking seriously about rolling back to cancan.
Thanks in advance.
Authority has different ways of checking permissions. For collection-based actions (e.g. new, create, index), you use authorize_actions_for Model.
For instance-based actions (e.g. edit, update, show, delete), you must call authorize_action_for #instance.
Change your code to this and it should work.
class EnterprisesController < ApplicationController
authorize_actions_for Enterprise
def show
#enterprise = Enterprise.find(params[:id])
authorize_action_for #enterprise
respond_to do |format|
format.html
format.json { render json: #enterprise }
end
end
end
If you want a less messy way to do this, put the
#enterprise = Enterprise.find(params[:id])
authorize_action_for #enterprise
into a before filter that's called by each instance action.

Abbreviating respond_to

I am currently working on a web application built on Rails 3 that heavily uses Ajax/REST for the client side. Thus, I often find myself writing controller actions like this:
def create
if !params[:name]
respond_to do |format|
format.html { render json: {}, status: :not_found }
format.json { render json: {}, status: :not_found }
end
return
end
account = ...
respond_to do |format|
format.html { render json: account }
format.json { render json: account }
end
end
Nearly all of my actions are returning a json object in a success case or an error code. However, I always have to write this verbose respond_to block and a return, if I want the action to return earlier.
Instead I would like to use something like this instead, or a similar alternative:
def create
if !params[:name]
throw :not_found
end
account = ...
return account
end
How can this be done with Rails 3+ ?
Have a look into inherited_resources. This will allow you to rewrite your controller as:
class SomeController < ApplicationController
inherit_resources
respond_to :html, :js, :json
end
That is it. All of your create/read/update/delete methods will be accessible as usual. You can, as I have in the past, inherit from a master resources controller which uses inherited_resources, and then you can tweak the responses in a more general way.
class ResourcesController < ApplicationController
inherit_resources
respond_to :html, :js
def create
create! do |format|
format.js do
# generic code here for managing all create methods initiated via js
# current model is avialbe via 'resource'
# e.g 'resource.errors'
end
end
end
Then simply inherit from that controller:
class SomeController < ResourcesController
end
This abstraction can be overkill for most purposes, but it has come in extremely handy when working 30 or 40 models which all require similar controllers.
Inherited_resources offers many helpers for accessing the current model (referred to as resource) to facilitate dynamic references, so you can, for example, return relevant forms, or partials based on resource/model name.
To give you an idea of how to use this, you could return forms for the current controller by using the controller name in the parameters. Should be noted that malformed controller names will not reach this method (as it will return 404), so it is safe to use:
format.js do
render "#{params[:controller]}/form"
end
Best of all, you can override any of the methods yourself by defining them in a particular controller.
If your are always returning json, you can ommit the respond_to block and write it like :
def create
if !params[:name]
render json: {}, status: :not_found
return
end
account = ...
render json: account
end

Why would it be better to use an authorization library as opposed to my example?

I am working on adding authorizations to an app I am building and I have a question. I have added an :admin column to my User table and set it as a boolean. In my controller I have added this code:
class ShipsController < ApplicationController
def index
ships = Ship.all
#ships = ships.sort_by { |v| [v[:empire_image], v[:cost]] }
if current_user.admin == true
respond_to do |format|
format.html # index.html.erb
format.json { render json: #ships }
end
else
respond_to do |format|
format.html { redirect_to root_path }
end
end
end
It looks like I will have to add this to all of my actions and this seems wrong. My question is, is doing it this way insecure or just more work for myself but fine.
Also I am using the authentication from railstutorial.org and am wondering if a library like cancan would work well with that.
Thanks for your time,
Nick
This way is not insecure, it's just clutter your controllers, at least consider to use a before_filter to authorize your actions.
Maybe for a simple application use a 3rd party authorization gem could seems overkill but move the authorization rules in a single place is a very good thing (the ability.rb file in the case of CanCan).
You can use CanCan with that authentication system, CanCan just expects a current_user method to exist in the controller.

How do I deal with an authorization hiccup because of bad controller naming?

I seem to have an authorization hiccup in my Ruby on Rails app. I have been using the following method in my application controller and it has been working beautifully.
def require_owner
obj = instance_variable_get("##{controller_name.singularize.camelize.underscore}") # LineItem becomes #line_item
return true if current_user_is_owner?(obj)
render_error_message("You must be the #{controller_name.singularize.camelize} owner to access this page", root_url)
return false
end
I then filter in the specific controllers by:
before_filter :require_owner, :only => [:destroy, :update, :edit]
I recently created a new controller which has a bit of a different naming convention that seems to be causing a problem. Normally my controllers read messages_controller or posts_controller. In this specific case I named the resource box_wod which generated box_wods_controller.
This is the only controller that seems to be having a problem with this filter so I bet I can tell it is in the naming of it and therefore the application_controller method is not recognizing the owner of the record.
I am not getting an error message but the application is not letting me edit, update or destroy a record because I am not the BoxWod owner. My routes are correct as are my associations and the correct information is getting passed to the box_wod table.
Is there a way to rewrite the application_controller method to recognize the additional underscore in the box_wod resource? Or is this even my problem?
UPDATE:
Here are the three methods in the BoxWodsController:
def edit
#workout_count = Workout.count
#box_wod = BoxWod.find(params[:id])
end
def update
#box_wod = BoxWod.find(params[:id])
respond_to do |format|
if #box_wod.update_attributes(params[:box_wod])
flash[:notice] = 'BoxWod was successfully updated.'
format.html { redirect_to(#box_wod) }
format.xml { head :ok }
else
format.html { render :action => "edit" }
format.xml { render :xml => #box_wod.errors, :status => :unprocessable_entity }
end
end
end
def destroy
#box_wod = BoxWod.find(params[:id])
#box_wod.destroy
respond_to do |format|
format.html { redirect_to(box_wods_url) }
format.js
end
end
In situations like this, I like to create a controller method that I can override when necessary. For example:
# application_controller.rb
class ApplicationController
def require_owner
obj = instance_variable_get("##{resource_instance_variable_name}")
# Do your authorization stuff
end
private
def resource_instance_variable_name
controller_name.singularize.camelize.underscore
end
end
# box_wods_controller.rb
class BoxWodsController
private
def resource_instance_variable_name
'box_wod' # Or whatever your instance variable is called
end
end
Lastly, please post your BoxWodsController code so we can better diagnose the problem.
It would seem that the #box_wod instance variable is not created until the require_owner method is invoked so current_user_is_owner? is checking a nil value, resulting in it always returning false. Perhaps you need another before_filter to populate the instance variable before require_owner is invoked.

Different set of Views for different user's roles

I am developing a rails app and I have 2 different user's role: advanced and basic.
Instead of to hide links in the basic user's views (a.i. using CanCan ) I want to manage 2 different set of views: one for the advanced user and one for basic user.
Currently I am working in this way:
case current_operator.op_type
when 'basic'
format.html { render :template => "devices/index_basc.html.erb" }
when 'advanced'
format.html # index.html.erb
end
But I dont like to specify at every action the template for the basic user ( { render :template => "devices/index_basc.html.erb" } )
I think there is some other way (I hope more neat :)
Do you have any ideas ?
Thank you,
Alessandro
You can do something like in this Railscast Mobile Devices:
in config/initializers/mime_types.rb add:
Mime::Type.register_alias "text/html", :basic
in app/controllers/application_controller.rb add:
before_filter :check_user_status
private
def check_user_status
request.format = :basic if current_operator.op_type == 'basic'
end
Now you can just do the following in your controllers:
class SomeController < ApplicationController
def index
# …
respond_to do |format|
format.html # index.html.erb
format.basic # index.basic.erb
end
end
end
As you have only two different user's role you can do this
page = (current_operator.op_type =='basic')? "devices/index_basc.html.erb" : "index.html.erb"
format.html { render :template => page}

Resources