I am not sure if I am going about this the right way or not.
I have a model Neighborhood. I have a two ways you can add a neighborhood, one as a logged in user and the other as a public person. The forms vary a bit. So I made another view with a custom action. The problem is this action is adding a new record and therefore calls on "create." When it calls the create action it looks to redirect to a path that cannot exist on the public form.
Either I am doing this completely wrong or there is a way to tell my custom action to save the Neighborhood record so I can redirect on the public side.
In the create action, conditionally redirect to either the public / private page depending on the user's status:
def create
# create code goes here
if current_user?
redirect_to neighborhoods_path
else
redirect_to root_path
end
end
Or is there something that I am not understanding from your question?
i think you are saving both (public and registered users), the Neighborhood details are added to the same details. you might different this by having a user id or something
if so, As i see you can use the same controller and action. All you have to do is
identify the user like is_registred? (provided that you have a method to identify if a use is logged or not) and according to the user load layout only
Ex:
pseudo code would be
if is_registred?
render public layout
else
render registerd user layout
and you might have to check authorizations as well. Hope I understood your question
cheers
sameera
Related
Grails noob here. I am build a simple grails app where I have the default create/ edit / list / show pages for a Product domain object. I also have the ProductController. The create method by default does this:
def create() {
[productInstance: new Product(params)]
}
My understanding is this will take me to the create page. And there will be nothing in the params object so everything will be blank.
I want to change the behaviour so that the when the create() method is invoked, a pop up is returned to the User: Sorry you are not allowed to create new data.
The user will stay on the same page and the only thing that will happen is the pop up.
How do I do this without using JavaScript?
Thanks
If the create method is not allowed, why not just remove the create() method from the controller, delete the create.gsp page and remove the 'New' button from the list page?
If you do want to offer a 'New' button and display a popup message that says you can't use the button, that is probably easiest done in javascript.
If you can just display the message in the default grails message panel rather than in a popup, then change the controller method to
def create() {
flash.message = "Sorry you are not allowed to create new data."
redirect(action: "list")
}
Prior to sending the user to the GSP view, you should make a decision in the controller, if the user is allowed to execute the create action. In your controller this could be something simple like:
params.allowed = false
The result of this decision is then passed to you GSP where you can evaluate it inside the GSP using something like:
<g:if test="${params.allowed == false}">
Alert: you are not allowed...
</g:if>
For the alerts, there are good looking alternatives to javascript like: http://getbootstrap.com/components/#alerts
I'm new to cakephp, I'm doing a web application in cakephp 2.3.5, my application has several controllers with corresponding models in each controller. I have actions with their respective views, and other actions that are simply no view functions that are used by other actions.
I have two questions:
One, of such actions is to remove an entity, is there any way that the user does not execute its actions through the browser by entering the URL (eg ... / estudiantes/delete/6)?, Meaning that only actions can launch web browsing.
Two, I have several user page belongs to a different role, of course there will be action in which a specific profile can not use and others who, for this I use the function "IsAuthorized" on each controller, controlling every action and seeing the user and the role it plays using the session, would it be right?
First question: yes, just change the delete action to protected or private and only other actions within your controller can access that. Or, if you're trying to use it with ajax or post, add this in the delete action
public function delete($id=null) {
if ($this->request->is('ajax') || $this->request->is('post'))
//do delete
else
//redirect or throw error or sad face
}
Second question: yes.
Or you could use plugins, like ACL.
When it comes to display a view regarding to authentication (view displayed depending to the visitor if he's a user or not). I face many choices. So I need your help to show me how i deal with such situation :
Using 2 views (one for the users and other for visitors), or just one view.
using 2 actions (one with authorize filter and the other without), or just one action.
And why the choices you suggest is better ?
You don't have to not use Authorize attribute. It's main function is to setup the User in the context, and then by default, it also checks that they are logged in. However, this last part can be overridden by using the AllowAnonymous attribute as well:
[Authorize]
[AllowAnonymous]
public ActionResult SomeView()
{
...
}
So, now your view will have a User to play with, and you can dynamically present different pieces of the view using that based on auth status:
#if (User.IsAuthenticated)
{
<p>Logged in</p>
}
else
{
<p>Anonymous</p>
}
EDIT (for clarification)
The Authorize attribute actually does two distinct things for you. First, it setups all the machinery for recognizing a user: reads the cookie or whatever, checks the authentication status, pulls in the user's info, if they are authenticated, etc. Second, it validates that the user is in fact logged in. Using AllowAnonymous skips this second part and allows anyone, logged in or not, to access the view, BUT and this is key, you still need the first part to know stuff like whether you have an authenticated user or not.
So, simply, using both the Authorize and AllowAnonymous attributes together means essentially, "see if the user is logged in, but don't require it to access this view". That allows anonymous users to still reach the page, but enables you to still deliver unique or different content to an actual logged in user.
In certain Controller I have CRUD methods. In order to access these methods user needs to be logged in. This is why I used [Authorize] attribute for this controller. Now I need additional attribute which would check if item that user wants to view/delete/update belongs to him.
Is it possible and recommended to do this with attribute or you would suggest using check methods inside each method? If you suggest using attribute, could you please provide me some links/instructions?
EDIT:
Ofcourse, if attribute returns false than I don't want to redirect user to login page but show him an error message...
It can be done with a custom Authorize attribute, but it's much cleaner to put the logic inside your controller methods.
The attribute is related to the action being called (the controller class method). On that basis any attribute relating to the user's ownership of the object being manipulated (from your Model) should really be on the entity/class that the user is attempting to manipulate. You'll probably find it easier to validate the user within the Model method rather than using an attribute to achieve this.
In my opinion it is possible, just google for 'Custom Authorize Attribute'.
But maybe it is better to query your database with something like this:
ContextOrSession.Query<Something>.Where(Something.Groups.Intersect(User.Groups).Count>0)
In my Rails controller I want to branch to a different controller's action, show its view and then return back to my original action, i.e. it's not a simple redirect, more like a sub-procedure call.
I want to use this whenever a user does something suspicious, like editing a post too often in a row. I still want to allow the edit, but first the user has to answer some CAPTCHA-like questions on a different page. (Similar to Authlogic-oid, where during validation the user is redirected to the OpenID provider's page)
You can push the current request into the Session, then do a redirect to the captcha, then have the captcha action look into the Session to check where it should redirect to.
IIRC, Autlogic does exactly that with redirect_back_or_default.
You can't.
Convert the common stuff into a helper method and then both the controllers should call this method.
It's possible to create an instance of the other controller and call methods on it, but you should probably reevaluate your organization first (look into helpers, modules, etc.)
#my_other_controller = MyOtherController.new
#my_other_controller.some_method(params[:id])