what do you recommend?
Authlogic or restful_authentication?
Is it hard, to build the email-activation-step into authlogic
(as far as I know, Authlogic hasn't this feature included).
Actually I'd disagree with fig-gnuton. There are a couple of things that you could do. If you want a basic solution try restful auth but be aware that the generator based approach has significant shortcomings. The main shortcoming is that you are squirting a large gob of code into your application. So when there's an issue you have to patch the code manually or blow away any customisations you've made. Recent versions of restful auth are much better than earlier versions which spewed code left, right and centre but my advice would be where possible leave the user and session code generated by restful auth well alone. For example if you want properties on your User make another object like Person and link the two.
I prefer authlogic because:
It feels like you're more in control.
I appreciate the extent to which authlogic is documented and their example app is pretty useful as a guide too.
Also I've had bother with testing restful_auth apps, not so with authlogic.
Extensions like forgotten password resets, API keys and the like are much less custom code than restful_auth.
And don't forget Clearance, the other kid in the block.
Restful Authentication is crap. It's the kind of thing that gives Rails generators a bad name.
What do I mean by that? The generators that come with Rails are (IMHO) good. They generate a very minimalistic skeletal structure. What they generate is small, easily understood, and easy added to/replaced by your own code as you go. All the complex gnarly pieces are in the Rails libraries, where they belong, not in the generated code.
Restful Authentication, on the other hand, comes with generators that spew out massive amounts of generated code that's hard to work with and hard to maintain. Functionality that should be in a nice library where it can be easily upgrade with each new version of the framework is instead spewed out in generated model and controller code where it'll end up intermixed with your code. It's not scaffolding, it's a mass one way dump of autogenerated code.
Stay away... stay far away....
You're better off with authlogic.
take a look at my reasoning here
http://blog.platform45.com/2009/09/30/user-authentication-with-authlogic
Restful_Auth is a drop-in solution.
Authlogic is great and can do anything restful_auth can do (and more, afaik), but Authlogic is geared to customization, it therefore lacks the generator aspect (by design rather than oversight).
Bottom line, if you're a newbie (sounds like you might be), I'd start with restful_auth.
Related
I've been looking at Administrate source code and would like to know if it's a good practice or not the use of a generic controller and what implications it would have, like code complexity, performance degradation, etc.
Sometime ago, there was a gem inherited_resources that provide this feature, but since Rails 3.0 or 3.1 has been said we no longer need them.
So, since I have some very simple models (with only two or three fields) I could create a generic view and controller to manipulate them and save a lot of lines of "duplicated" code. Although I'm afraid, by avoiding repetition I could be creating another monster.
I've been looking for a Rails way to do this, but failed, so I would thanks some advice.
Note: I'm not looking to implement or use an admin dashboard, but use in my application instead
All Rails admin-panel implementations will make you hurt when you will try to make something more complex than stupid simple CRUD-application. I recomend you not to use such solutions. I had experiece in usage three different Rails's admin-panels and all of them had bad design and a lot of limitations. They are hard to mantain and extend their functionality.
I'm building a multi-tenant app in rails. I've decided not to do a separate table for each tenant like in the appartment gem.
I've decided that I can either do an around_filter in my application controller that puts a default_scope on everything, but I also thought that maybe it would be easy enough to do via permissions in the authorization gem I'm using.
The latter seems simpler, so I'm tempted to go with it. But I don't see it being recommended anywhere so I'm wondering if there's maybe a major security hole I'm not thinking of.
It seems sensible to use authorization gem. If implemented correctly, there should be no serious security hole at application level, so go for it. (If you use CanCan, there was already a question on this on StackOverflow: here)
Note that if you are concerned about security more than anything else, you should have gone for separate tables, schemas or even databases. But hopefully you have already analyzed the possible choices :) Anyway, here is an interesting article from MSDN about multi-tenant architecture with lots of useful thoughts and hints.
This question aims to understand RoR and frameworks in general. It looks like RoR never had any standard user authentication system. Was it just historical reason (just happened naturally as it did)... or could it be intentional? Because RoR is a website building tool, more often than not, user authentication is a crucial part of a website.
To put it into perspective, another question is, do other popular frameworks, Django, Symfony, CakePHP, have user authentication built in?
There is no reasonably generic way to do user authentication. Most frameworks leave it up to you to choose the plugin that most closely matches what you're trying to accomplish.
For example, consider these two situations:
a blog which has a single administrator with password-protected admin-facing tools
a site like YouTube which allows users to sign up and administer their own content
Both of these sites would require vastly different authentication systems; which of these systems should Rails cater to out-of-the-box?
The Rails core team wanted to ensure that Rails was open-ended enough to make anything you want. There is no one-size-fits-all authentication scheme, so the core team decided to leave it out. Rails is easily extendable via gems and plugins, so that is where they belong.
Some examples are Warden and the Rails Warden plugin, Devise, Authlogic, and Restful Authentication.
CakePHP has a built in Authentication component that is pretty straight forward and easy to implement.
Most of these frameworks you mentioned are toolkits, not complete products. You build these things yourself, or leverage plugins from the community. Django's admin plugin/module has authentication out of the box though. Drupal does too, as a matter of fact.
Authentication can be(and is in my opinion) a matter of taste and need. If Rails was including things like that, it would start to become a website and not a framework. The programmer has to be free to choose among various implementations. That is why gems are available.
I've been programming a little in Rails and CakePHP, and I can say that Rails doesn't need to provide a mechanism like this. The community is very very good, and there are many examples (already said, like Devise, Authlogic...) made by very good programmers. Of course, there are many tutorials online (and also, railscasts, which are simply awesome) to program a succesful set-up for your project. So, if we have all of this, why should we need something like cakePHP mechanism? It's OK, it works, but there's just a very good tutorial and that's all( and maybe enough..). So, in the end, if u have a nice community you shouldn't care about the core of the technology, there will be always someone else more experienced with your needs that will do it for you. And if you don't find it, do it by yourself and in the proccess you will find a lot of help! :)
Does anyone know of a good guide on building your own authentication system in ruby on rails?
I want to roll my own system to use with my community im building :)
Thanks!
I'd recommend starting with Warden - it'll handle the very basics of sessions for you, and give you a good foundation to build your logic on top of. The Rails Warden plugin is a rather small library that helps integrate it into Rails. Both of these projects are fairly mature and well-constructed yet still under active development - they're good choices all around.
You should be aware of Devise, another authentication framework (like Authlogic or Restful Authentication) that is based on Warden. It may not be a good fit for your project (it wasn't for mine), but looking through the source might give you a few ideas on how best to use Warden.
The other thing I'll note is that, in terms of hashing passwords, you should absolutely use bcrypt.
michael hartl has a good book coming out soon and the first 8 chapters are available in pdf format for free here: http://www.railstutorial.org/ - they cover the entire process of creating a very solid rspec-driven authentication system - can't recommend it highly enough
Well, it came out a while after you asked your question but the best answer if you're keen to build your own authentication system rather than use something like Devise would probably have to be Ryan Bates' Authentication from Scratch Screencast.
Since authentication is a common problem that has been solved many times already, I would start by investigating the solutions already out there.
For example, have a look at Restful Authentication which provides a good foundation for authentication in Rails. Even if you'd rather roll your own system, playing around with Restful Authentication and understanding how it works should give you a good understanding of the components needed when you start building your own system.
Check out this article:
http://www.aidanf.net/rails_user_authentication_tutorial
The author goes, step by step, through an entire authentication framework, with suggestions on further improvements. Even tests are discussed.
I agree with Ritchie... Devise has some very nice features but it doesn't play nice with others. For many use-cases, the way it hijacks the routing can make your job more difficult. In many situations you may be better off rolling your own.
Devise has caused circular references in my Rails asset pipeline, and the settings in the initializer as installed (in the latest version as of yesterday) conflicted with the defaults in the migration it generated.
I have built enterprise-level authentication systems, including email verification, password recovery, etc. And none of it required the routing shenanigans that Devise uses. If you really need all the features, it may be for you. But there are lots of reasons to not use it, too.
We are evaluating plugins for Authorization in Rails. The two at the top of our list are
cancan and declarative_authorization.
I would like to get some feedback from anyone currently using either of these plugins.
The problem we are going to face with any authorization plugin is that we have a
database per customer model and will need to modify the plugin to work within that
model. Because of this fact I'm interested in hearing from anyone who has had to tweak the
plugins at all as well.
I'm just starting to look around at the code. It seems like cancan might be a little easier to customize.
Any thoughts?
Cancan is a lighter weight plugin for smaller sites. You can see a video on railscasts.
http://railscasts.com/episodes/192-authorization-with-cancan
I've used declarative_authorization with authlogic/restful_auth for several projects. It has everything you would need. 1) Model security. 2) Controller security 3) methods available to the view to check auth.
The only frustrating thing I've run into with declarative_authorization is me not reading the rdocs.
http://railscasts.com/episodes/188-declarative-authorization
Authority
I'd suggest you also check out my new gem, Authority. Because you do the actual logic in plain Ruby classes and methods, you can check any data source you need to: different databases, static files, phases of the moon via a web request, you name it. :)
I ended up using declarative_authorization. Now it seems that auth_logic is where the community is headed.
declarative_auth would have been really simple if it wasn't for our apps multi-tennant db
model. I had to modify the source a bit to make it all work, but it wasn't too tough to do, and
I was pretty green when I started this project.
It seems like you really can't go wrong with any of the solutions. cancan seemed cool too
but it would have needed more mods for what I was doing so I decided against it.
Its written by Ryan Bates though which is cool. Love rails casts! :)
I know this post is old but I figured I'll update any because you never know.