Authentication with Ruby on Rails & Devise - ruby-on-rails

I am about to build a new site in ruby on rails for residents at my college.
The site will allow residents to change their passwords for the college-firewalls (which means there are certain requirements).
On the site, each resident will have an account with a number of data assigned to it, and for this I need some authentication.
I've been studying Devise for almost the entire day now, but im starting to wonder if I have a too complicated task, to complete it with Devise.
Problem is, I need the passwords to be stored with DES-encryption, something Im not sure if Devise can handle.
Another thing is, users can't make their own profile. Admins will do that (to ensure correct data), which means that user-creation is not the default one. Since there are no controllers for this, is it even possible to do it that way?
I'm not sure if I should keep on going with Devise, or bite the bullet and write it all from scratch instead. Some opinions would be appreciated.

This page on the Devise wiki ( https://github.com/plataformatec/devise/wiki/How-To:-Create-a-custom-encryptor ) tells you how to set up a custom encryptor.
To make it so that admins create a user, remove the :registerable module from the User model. Then add a user resource to your app, example:
scope 'admin' do
resources :users
end
Set up the new/edit pages with your profile fields, etc., normal rails programming.
For an example using CanCan to control access to the users resource, have a look at this post: http://zyphmartin.com/blog/manage-users-with-devise-and-cancan.

If devise does not exactly do what you need, maybe this recent webcast from Ryan Bates will help you.

Related

Restful management of Devise model records | Rails 5.2

I'm working on a project that involves two Devise models (User and Admin). What I'd like to do is allow for Admin members to be able to view and manage Users in a RESTful way (i.e: index, show, create, update, destroy).
Would the best way be to create a users_controller and treat it like an average RESTful model (modifying each controller action to work with Devise where applicable)?
Any suggestions would be much appreciated.
Thanks.
CLARIFICATION UPDATE
It seems I wasn't clear about the question above. Answers below are about the authorisation of actions affecting the User model. This isn't what I'm asking about. I'm asking about the best way to facilitate the transaction itself, not the authorisation and restriction of the transaction. What would be the best way to have Admin members creating Users and updating User records without using the standard Devise self-signup. My intention is to disable self-signup so as to only allow new User registration by an Admin member creating the User account. Hopefully, this is more clear. Thanks.
I advise you take a look at the following gems Rolify and CanCan, there were integrated with devise here.
Here's a link

Admin Create/Invite New User with Devise

I have a simple rails app using devise--as such (and being a new rails guy), some of these methods are super classed and inherited, I think...
How can I create a few methods in my brand new admin controller to 1) Make a new user and 2) edit current users?
I feel that the typical CRUD operations will make a lot of redundant code and I would like to use some rails best practices to simply allow admins to edit multiple profiles (where users can only edit their own) and also add...
Again, I'm new to rails, so speak slowly. :)
The devise wiki has everything you need to configure/customise devise https://github.com/plataformatec/devise, I know that's not the exact answer but its a good place to start.
have you looked at active admin? http://activeadmin.info/ Works well with devise and gets you up and running with an administration framework very quickly

Path security and before_filters rails

I am currently creating an app where users can create and apply for jobs. However as I am fairly new to rails I am facing a fairly significant security feature in that if any user knows the correct path, for example:
localhost:3000/users/user_id/apps
Then they can see any application made by any user for any job!
I am fairly sure that I need to use a before_filter to check that the current_user.id matches either the user_id found in my jobs table for each job or matches the user_id found in my applications table.
I am really not sure how to structure this though or where to apply the filter - for example is it better to create the filter in the application controller and then apply a skip_before_filter instance where needed.
Any help people can offer on contructing this code and where to place it would be much appreciated! Thanks :)
Before you start looking at authorization solutions such as cancan, a simple approach is to avoid doing
App.find params[:id]
Since an app is associated to a user and you've got current_user setup you can do
app = current_user.apps.find params[:id]
Which will only find apps associated with the user, no matter what the parameters to find.
Where cancan really comes into its own is when you need a more complicated who can do what system. For example a user might be able to edit any job they've created but view (and not edit) another set of jobs.
For example
can :manage, Project, :user.id => user.id
can :read, Project, :department => user.department
This would allow users full access to any of their projects and read access to projects in their department
Another thing about cancan is that rather than having before_filters or macros scattered around your controllers you declare the rules in one place, so it's usually easier to see what's going on. There's loads more info on the cancan wiki an a railscast too.
You are right a before_filter might be an sollution but its not the state of the art solution. Theres a railscast for that,...
http://railscasts.com/episodes/192-authorization-with-cancan/
When your using cancan but not devise you need to create the current_user helper that should return the User object of the currently logged in user...

How Do I Create a User Profile With Devise?

I really like how devise offers an easy to use registration system out of the box but I'm having trouble extending it to do what I need. I need to create a public user profile for each user that shows their information like name, email, bio, and more info. I've done this in the past before with a users/show function but since devise doesn't provide any easily editable controllers, I'm having trouble figuring out how to do this. I've already run rails generate devise:views to copy the devise views to my app but I don't know where to go from here. Any help would be much appreciated.
Sounds like you want users to update their profile at the same time they create their account? If so, you can setup an associated Profile model with the User model. Using accepts_nested_attributes_for you can then create a record for the nested model on devise user registration submit/creation.
Here's a great screencast covering nested models and I also suggest you search other devise relate SO posts as this question has been discussed before.
There is an alternative approach, that is simpler to implement — only allow registered users edit/update their profile. This way you don't have to alter the Devise views and you can setup the various CRUD actions via a separate non-devise controller.
Throw in an Access Control List (ACL) solution such as CanCan (there are other alternatives too!) and you can even allow other users view profiles but deny access to edit/destroy etc.

Using Devise for Two Different Models but the same Login Form

I have seen lots of similar questions here but nothing that quite fits my need.
I am a pretty experience rails developer but this new project is my first time using both Rails 3 and Devise (I'm normally on authlogic).
My app has two different models that I want to authenticate via devise.
One, User is just a standard users model
Two, Business is similar to a user, (it has an email address column too) but it has additional info in the database (address, phone number, etc..)
I want to be able to log them both in via the same login form. Then obviously once they are logged in they will be presented with different info depending on what type of Model has logged in.
It may or may not be relevant that I was planning on using OmniAuth to allow Users (though probably not businesses) to sign up/on via facebook.
Thanks!
What's the easiest way to go about doing this?
I think the only way to handle this would be to have your own custom sign in form and controller that determined the type of user and then sign them in correctly. I would recommend an approach like what mark mentioned for simplicity (take a look at something like CanCan to manage roles).
Another potential problem with having multiple user models is that you will have multiple versions of all the devise helper methods. So for current_<resource> and <resource>_signed_in? you would have current_user, current_business_user, user_signed_in? and business_user_signed_in?. Then you would either have to implement your own versions of these methods or you would need to check both versions everywhere you used them.
Can do this in application_controller?
current_user = current_resource_a || current_resource_b

Resources