I am trying to decide on an AAA plugin/s but there seems to be so many of them! and a lot of the posts seem quite old, 07/08.
I saw goldberg but it seems like the site is down...
my app needs login,logout and forgotten passwords and needs to be able to restrict a user based on controllers/methods(role based).
On the auditing side I need to be able to log when a user edits/creates data.
you can start looking at Devise for authentication, and CanCan for simple authorization.
for logging, don't know if there are any plugins, but you easily can write some observer.
Related
I have a Rails-based API that has successfully integrated Devise. One remaining question I have is how to handle emails (confirmation and reset password). Devise automatically sends out these emails with links to its views. Since the API shouldn't handle views, what's the best way to deal with this? My questions are:
Is it inevitable that the API would contain some html templates since Devise sends out these emails? Is there a way for these templates to be on the client side?
How do I do with the links, which contains information like confirmation tokens and reset_password_tokens? I am not well-versed in client-side tech but should the links point to the client side's domain so that it can capture, rip out the tokens and make the calls in the background?
Thank you.
I've used Devise for a few API-only Rails projects. Frankly, IMHO, Devise is too heavy an opinionated for such projects. I love devise, but there's a lot of magic and assumptions. One of the assumptions is that you'll be using traditional Rails views. This isn't what you asked, but FWIW you might check out some other authentication libraries, like https://github.com/thoughtbot/clearance.
1) I don't see a way for your client app to have an email template. This action is happening entirely outside your client. Rails is sending emails, which your users then view using their email client (I'm assuming your client app isn't actually an email client).
I think the Rails api is the proper place for email templates in this case. I cannot think of a way that you could involve your client app in this. Even if you could, why would you want to do so?
2) There are a few ways to handle the links to password resets. The first thing you could do, as you state, is simply to grab the data and write your own views. But that seems like quite a lot of work, and you might end up fighting a lot with Devise.
An easy solution is to just let Devise own this stuff, and use Rails views. It's messy, but simple and easy. Devise is very opinionated, and this is the path of least resistance. It seems to me that you are trying to swim upstream here, based on a principle of separation of concerns. I'd argue that using Devise makes it very difficult to do that.
If you really must have your client app render all views, including ones for this feature, then you might consider just rolling your own password reset feature and keeping Devise out of the mix.
I use restful_authentication plugin in rails 2.3.5. application.
In this application, I want to permit to login with a single session for a single account at the same time.
In other words, I don't want the users to login with single account using several computers.
Does the restful_authentication plugin support this function?
If not, how can I realize this function?
Please give me some advise.
Thank you very much in advance.
Out of the box, no. You could track the session ID in a table with the user ID and then check that the same session ID is being used. However, this is clunky and you're going to cause problems for the user when he forgets to log out. You'll need to implement some kind of timeout for the sessions as well, so that you don't end up with sessions locking a user out forever.
The alternative would be to switch to authlogic. It also does not support this out of the box, but it should be easier to implement. One likely solution has been posted here. I haven't tested what was written there, but the approach looks a lot like what I would attempt to do in this situation.
Having used both restful_authentication and authlogic in many apps, authlogic wins hands-down. There's also Devise, which many people have had success with. (I'm not one of them, but maybe my needs didn't align with what this gem was offering.) You should definitely explore Devise and authlogic before hacking something into your existing setup, because the more modular designs of the newer gems should yield cleaner code when it's over.
Also: Update your Rails to the latest 2.3.*. There have been many security fixes since 2.3.5.
I am building a website for a client that wants to be able to make edits to things on their website. As such I need a way to allow the client to login to the site to make their changes.
My initial thought was to make an authentication system that relies on a User table in the database that is capped at one and only one user. It seems sort of overkill however to make a database table for just one result, so I was wondering if there were any other approaches or best practices that anyone could point to for building a site with just one user.
You could simply authenticate with a static password that is received from a file(encrypted), if you do not want a db model for that.
However, setting authentication with a gem like Devise is like 10 minutes of work. In order to be more secure(it can be a matter even in single user apps), you can set it up and be fine :)
I would highly recommend you set up authentication. As SpyrosP said it does not take long when you use Devise.
I'm slowly but surely putting together my first rails app (first web-app of any kind in fact - I'm not really a programmer) and it's time to set up a user registration/login system. The nature of my app is such that each user will be completely separated from each other user (except for admin roles). When users log in they will have their own unique index page looking at only their data which they and no-one else can ever see or edit. However, I may later want to add a role for a user to be able to view and edit several other user's data (e.g. a group of users may want to allow their secretary to access and edit their data but their secretary would not need any data of their own).
My plan is to use authlogic to create the login system and declarative authorization to control permissions but before I embark on this fairly major and crucial task I thought I would canvas a few opinions as to whether this combo was appropriate for the tasks I envisage or whether there would be a better/simpler/faster/cheaper/awesomer option.
What about cancan by Ryan Bates?
Here you can get a complete visual guided implementation
Take a look at this, it might help:
Basic Rails 3 engine utilizing Authlogic, CanCan and Easy Roles
What about Devise? Take a look at the railscasts.com site.
I'm looking for a quality Administrative plugin for Rails. It seems that most of the existing plugins/gems (e.g. "restful_authentication", "acts_as_authenticated") revolve around self-signup, etc. However, I'm looking for a full-featured Administrative/Management role-based type of solution -- but not one that's simply tacked on to another non-role-based solution.
If I can't find one, I suppose I'll roll my own...just wasn't looking to re-invent the wheel.
Ryan Bates has recently made two railscasts on authorization (note the difference between authentication and authorization; authentication checks if a user is who she says she is, authorization checks if the user has access to a resource). Episode #188 is on declarative_authorization, which is a really powerful authorization plugin. Episode #192 (sorry, I don't have enough reputation to link to it) is about Ryan Bates' own CanCan plugin, which is a much simpler plugin, but it would still work for most apps.
There are a few out there. I have used:
http://github.com/DocSavage/rails-authorization-plugin/ for applications before in conjunction with restufl_authentication, but I believe it will work with any authentication that gives you a current_user method. On github there is also http://github.com/mdarby/restful_acl/ and http://github.com/danryan/role_model/, they are just role based stuff though I'd say not authentication as well.
The authentication and the access control role based stuff are all available as seperate plugins/gems to the best of my knowledge, and that's a good thing as they are different beasts. Not all apps that have authentication need to have ACL type stuff and even some that do only need a really simple am I an admin kind of thing rather than a full blown user roles thing. So I'd say if you want one that does it all you'll have to write, if you don't want to do that than I'd say a combination of either Authlogic or restful_authentication with on of the authorization plugins will do the trick quite nicely.
You might check out the links in "Which Rails plug in is best for role based permission?".
None of the solutions listed there seem very appealing to me. The top contender, role_requirement apparently requires restful_authentication, but I find AuthLogic much better designed and less intrusive. The others listed seem to not be very actively maintained.