I'm slowly but surely putting together my first rails app (first web-app of any kind in fact - I'm not really a programmer) and it's time to set up a user registration/login system. The nature of my app is such that each user will be completely separated from each other user (except for admin roles). When users log in they will have their own unique index page looking at only their data which they and no-one else can ever see or edit. However, I may later want to add a role for a user to be able to view and edit several other user's data (e.g. a group of users may want to allow their secretary to access and edit their data but their secretary would not need any data of their own).
My plan is to use authlogic to create the login system and declarative authorization to control permissions but before I embark on this fairly major and crucial task I thought I would canvas a few opinions as to whether this combo was appropriate for the tasks I envisage or whether there would be a better/simpler/faster/cheaper/awesomer option.
What about cancan by Ryan Bates?
Here you can get a complete visual guided implementation
Take a look at this, it might help:
Basic Rails 3 engine utilizing Authlogic, CanCan and Easy Roles
What about Devise? Take a look at the railscasts.com site.
Related
I am developing a job portal website as part of a project for university and not exactly sure how to approach this problem, I am using Devise for my authentication system allowing users to sign, The system will have many user_types (job_seeker, company).
At the moment I am using “Rails_admin” for the admin interface, but I am looking to create an interface where a company can manage their jobs, applications, etc, and for job_seekers to view their previous job applications, and job status etc.
My plan was to develop it so in the controller it checked the user_type and then redirected it to a control panel, which would hopefully allow all users go sign in using one login page, but my question is, how do I go about developing a “job_seeker” and “Company” control panels where they can manage their details.
I am looking for information on how to approach this problem, or the best method to achieve a solution.
Did you try using a gem that allow you or simplified role user management like cancan?
A good approach is as Maxence said, have a namespace for every role and a dashboard controller to show what you need. This will help you to keep things spited and will be more easy to maintenance. You can check it here how use namespaces. You can do it as well with a resource but I dont like it.
Other thing that you can do is having a single dashboard controller and redirect depending of the user role.
I have a Rails app that I need to put access control on. (Some pages can be accessed by everyone, some pages can only be accessed by certain LDAP groups of people, etc.) What's the best way to handle this access control?
One way is to have a before_filter in all of my controllers that checks, for each action, whether the user belongs to an LDAP group authorized for that action. (But this seems possibly messy.) Is there a better way?
You should do this kind of thing with a authorization mechanism.
CanCan is really popular, and also quite simple: https://github.com/ryanb/cancan
You can find other gems for handling authorization here: https://www.ruby-toolbox.com/categories/rails_authorization
I highly recommend reading this book if you're new to Ruby On Rails. The section that talks about exactly what you need is here.
As far as I know, the before filter works perfectly, and isn't messy because it's handled in the controller for the page.
I'm trying to create a login system in Rails 3 where I can access the logged in user not only from the views but also from the controller/model level. The reason is that I want to adapt functionality according to a privilege system where logged in users may execute different functions than those that are not logged in.
Up to this point, I tried to implement the login system from railstutorial.com, chapter 9.
When I use the login system only from the view, it works. However, if I try to use the system via a controller, I get the error undefined method 'cookie_jar' for nil:NilClass.
Thank you for any help or best practices you can provide for creating an authentication system where the logged in user can be identified from a controller.
The best advice here is probably "don't". If you want an authentication system, use something like Devise - which has had a lot of time and effort spent making sure that evildoers can't get in
If you want different users to execute different functions, this is access control, and for that you probably want something like cancan or ACL
And you want access to the logged in user from the model level? Again, the best practice is "don't". The model should have no interest in the currently logged in user - that is a matter for the controller.
(That said, rules are sometimes made to be broken - if you are doing an audit trail and need to store information about the user who made a change, for example, passing the currently logged in user to the model may be the best answer ....)
And finally, if you really, really want to do it all from scratch, take a look at this railscast
An extremely simple way is to do it as mentioned in railscast episode : http://railscasts.com/episodes/20-restricting-access
As mentioned in the screen cast, you can use the plugin acts as authenticated (http://www.railsrocket.com/acts_as_authenticated-plugin) for all your user model needs.
If everything done according to the tutorial you should be able to get current_user from both controllers and views. There's also another tutorial on authentication on asciicasts.com by Ryan Bates. You may want to explore it if you are just starting Rails, but for real-life applications it's highly recommended to use Devise or AuthLogic, which are thoroughly tested and constantly evolving.
I am building a website for a client that wants to be able to make edits to things on their website. As such I need a way to allow the client to login to the site to make their changes.
My initial thought was to make an authentication system that relies on a User table in the database that is capped at one and only one user. It seems sort of overkill however to make a database table for just one result, so I was wondering if there were any other approaches or best practices that anyone could point to for building a site with just one user.
You could simply authenticate with a static password that is received from a file(encrypted), if you do not want a db model for that.
However, setting authentication with a gem like Devise is like 10 minutes of work. In order to be more secure(it can be a matter even in single user apps), you can set it up and be fine :)
I would highly recommend you set up authentication. As SpyrosP said it does not take long when you use Devise.
My goal is to allow users of a Rails web app to see all their open sessions on other computers and close/sign out of them remotely. Similar to gmail's "Account activity" page (link found at the bottom of the gmail inbox page).
I can technically achieve this by using the sessions in the database
account_sessions = CGI::Session::ActiveRecordStore::Session.find(:all)
and iterating over them to find sessions corresponding to the current user (the user ID is stored in the session data), and allowing the user to destroy these sessions.
However, this doesn't offer the usual convenience of working with Rails models. I can't easily express a has_many relationship with the user and make use of
current_user.sessions
nor can I easily put an index on user_id since it's in the data part of the session (instead of being its own column).
This approach also may become impractical if the number of sessions grows, since in the above the table is read into memory.
As a solution, I'm thinking of creating my own model which "mirrors" the relevant portions of the session and is created/updated/destroyed to maintain that correspondence.
This isn't a great way to go about it due to data replication and added complexity of code, but I didn't find another way to do it.
So the question is: is this a good way to go about it, or am I missing something?
Thanks in advance!
Fraser
Edit: I should have mentioned that I'm currently using restful-authentication, and would prefer not to switch.
Since authlogic offers a user session model and is easily extendable, you should be able to achieve exactly what you want, if you don't mind to switch to another authentication mechanism.
Edit: This Railscast should give you a pretty good overview.