webdevRefinery Forum: How to grant different rights to users with ruby on rails? - webdevRefinery Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

User is offline thorin 

  • Group: Members
  • Posts: 14
  • Joined: 12-November 11

Posted 15 August 2012 - 04:46 PM (#1)

How to grant different rights to users with ruby on rails?


I have already working login and user pages.

I use the following filters to check if a user has access to certain pages:

before_filter :authorize - placed in the application controller this little line makes sure a user is logged in before visiting every page

skip_before_filter :authorize - placed in every controller of a page to which no login is required

Here is the application controller:
class ApplicationController < ActionController::Base
	before_filter :authorize
	protect_from_forgery
	
	protected
	
	def authorize
		unless User.find_by_id(session[:user_id])
			redirect_to login_url, :notice => "Please log in"
		end
	end
end


Here is my users_controller.rb:

class UsersController < ApplicationController
  # GET /users
  # GET /users.json
  def index
    @users = User.order(:name)

    respond_to do |format|
      format.html # index.html.erb
      format.json { render json: @users }
    end
  end

  # GET /users/1
  # GET /users/1.json
  def show
    @user = User.find(params[:id])

    respond_to do |format|
      format.html # show.html.erb
      format.json { render json: @user }
    end
  end

  # GET /users/new
  # GET /users/new.json
  def new
    @user = User.new

    respond_to do |format|
      format.html # new.html.erb
      format.json { render json: @user }
    end
  end

  # GET /users/1/edit
  def edit
    @user = User.find(params[:id])
  end

  # POST /users
  # POST /users.json
  def create
    @user = User.new(params[:user])

    respond_to do |format|
      if @user.save
        format.html { redirect_to(users_url, :notice => "User #{@user.name} was successfully updated.") }
        format.json { render json: @user, status: :created, location: @user }
      else
        format.html { render action: "new" }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # PUT /users/1
  # PUT /users/1.json
  def update
    @user = User.find(params[:id])

    respond_to do |format|
      if @user.update_attributes(params[:user])
        format.html { redirect_to(users_url, :notice => "User #{@user.name} was successfully updated.") }
        format.json { head :ok }
      else
        format.html { render action: "edit" }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /users/1
  # DELETE /users/1.json
  def destroy
    @user = User.find(params[:id])
    @user.destroy

    respond_to do |format|
      format.html { redirect_to users_url }
      format.json { head :ok }
    end
  end
end


Here is my user.rb model:

class User < ActiveRecord::Base
	validates :name, :presence => true, :uniqueness => true
	validates :password, :confirmation => true
	attr_accessor :password_confirmation
	attr_reader :password
	
	validate :password_must_be_present

	def User.authenticate(name, password)
		if user = find_by_name(name)
			if user.hashed_password == encrypt_password(password, user.salt)
				user
			end
		end
	end
	
	def User.encrypt_password(password, salt)
		Digest::SHA2.hexdigest(password + "wibble" + salt)
	end
	
	# 'password' is a virtual attribute
	def password=(password)
		@password = password

		if password.present?
			generate_salt
			self.hashed_password = self.class.encrypt_password(password, salt)
		end
	end
	
	private

	def password_must_be_present
		errors.add(:password, "Missing password") unless hashed_password.present?
	end

	def generate_salt
		self.salt = self.object_id.to_s + rand.to_s
	end
	
end


Here is my sessions_controller.rb:

class SessionsController < ApplicationController

	skip_before_filter :authorize

	def new
	end

	def create
		if user = User.authenticate(params[:name], params[:password])
			session[:user_id] = user.id
			redirect_to admin_url
		else
			redirect_to login_url, :alert => "Invalid user/password combination"
		end
	end

	def destroy
		session[:user_id] = nil
		redirect_to store_url, :notice => "Logged out"
	end

end


I know this is a lot of stuff but I though I better include it all.

All of this works fine and none of it is written by me. It comes from the textbook. I mostly understand how it works. Users are able to register and log in successfully. My question seems rather simple but I am still confused by ruby programming. I just want different users to have different access to particular pages. For example some users should have access to the page users which lists all the users while others shouldn't. How do you do this?
0

User is offline TheEmpty 

  • I say words in sequences.
  • Group: Members
  • Posts: 5154
  • Joined: 02-October 10
  • Expertise:HTML,CSS,PHP,Java,Javascript,Python,Ruby on Rails,SQL

Posted 15 August 2012 - 05:16 PM (#2)

I would generally create a string on the user called "role" and check against it. But in cases that you only have two roles: user, admin. Just create a boolean called admin that defaults to false. Also cancan is pretty nice for this stuff, http://railscasts.co...on-with-cancan/
Reserved.
1

User is offline markbrown4 

  • Group: Members
  • Posts: 385
  • Joined: 17-May 10
  • LocationMelbourne, Austraila
  • Expertise:HTML,CSS,Javascript,Ruby on Rails,Graphics

Posted 15 August 2012 - 06:07 PM (#3)

If admin is the only special type I'd just add a boolean "admin" to the user then you can do checks like if user.admin? do blah.

Cancan is great if you have more types of users than that.
0

User is offline TheEmpty 

  • I say words in sequences.
  • Group: Members
  • Posts: 5154
  • Joined: 02-October 10
  • Expertise:HTML,CSS,PHP,Java,Javascript,Python,Ruby on Rails,SQL

Posted 15 August 2012 - 06:23 PM (#4)

View PostTheEmpty, on 15 August 2012 - 05:16 PM, said:

I would generally create a string on the user called "role" and check against it. But in cases that you only have two roles: user, admin. Just create a boolean called admin that defaults to false. Also cancan is pretty nice for this stuff, http://railscasts.co...on-with-cancan/



View Postmarkbrown4, on 15 August 2012 - 06:07 PM, said:

If admin is the only special type I'd just add a boolean "admin" to the user then you can do checks like if user.admin? do blah.

Cancan is great if you have more types of users than that.


* suspicious look *
Reserved.
0

User is offline markbrown4 

  • Group: Members
  • Posts: 385
  • Joined: 17-May 10
  • LocationMelbourne, Austraila
  • Expertise:HTML,CSS,Javascript,Ruby on Rails,Graphics

Posted 15 August 2012 - 10:51 PM (#5)

Sorry, I didn't read your post properly... I'm not getting enough sleep. If we both suggest a boolean I guess it's the right way to go ;)
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users


IPB Skins by Skinbox

Enter your sign in name and password

Sign in options
  Or sign in with these services