Very simple authenticatation


#1

Could someone help me with this. It really only needs to be this
simple. I don’t need user models or plugins etc.

I think it’s clear what I’d like (either admin or slt to
authenticate), but it’s obviously flawed and lets any username
password combination in!

def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
name == “admin” || “slt” && password == “admin” || “slt”
end
end

I’ve also tried:

def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
(name == “admin” && password == “admin”) || (name == “slt” &&
password == “slt”)
end
end

Thanks.


#2

def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
name == “admin” || “slt” and password == “admin” || “slt”
end
end

Im pretty sure that should work. “and” is evaluated after && . They’re
now equivalent - its a ruby thing.

If it still doesnt work:

def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
(name == “admin” || “slt”) and (password == “admin” || “slt”)
end
end

I hope I understood your question correctly. :stuck_out_tongue:


#3

“Not” equivalent. Not “now”.

I don’t understand how I manage to make those typos. It’s not like I
forgot a letter or something - I actually use another word in place.
Strange xD


#4

Thanks for the suggestion.

I get the same problem. Any username or password is allowed.

So I can enter ‘foo’ and no password and it let’s me in.

Odd.


#5

johnsonmlw wrote:
[…]

I get the same problem. Any username or password is allowed.

So I can enter ‘foo’ and no password and it let’s me in.

Odd.

Not odd at all. The problem is that == binds tighter than ||, so that

user == ‘admin’ || ‘slt’

is equivalent to

(user == ‘admin’) || ‘slt’

This will return true if user is ‘admin’, or ‘slt’ in any other case.
It will never return false.

Best,

Marnen Laibow-Koser
http://www.marnen.org
removed_email_address@domain.invalid


#6

johnsonmlw wrote:

Thanks for the suggestion.

I get the same problem. Any username or password is allowed.

So I can enter ‘foo’ and no password and it let’s me in.

Odd.

So basically…:

def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
true
end
end

?

I dont see how this can be useful to anyone though… But that might just
be me. lol


#7

The logic is wrong. Try this:

def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
credentials = {‘admin’ => ‘admin’, ‘slt’ => ‘slt’}
credentials[name] == pasword
end
end

On your previous examples, your method was returning ‘the last thing
evaluated’ (a Ruby thing), and in your case, that happened to be
‘slt’. ‘slt’, as a string, is not false, which is why your method was
letting users in regardless of credentials.

Hardcoded credentials in any app are a terrible idea though…


#8

def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
[“admin”, “slt”].include?(name) and [“admin”,
“slt”].include?(password)
end
end

Or the other way to interpret what you just said. Makes more sense :stuck_out_tongue: