Could someone help me with this. It really only needs to be this
simple. I don’t need user models or plugins etc.
I think it’s clear what I’d like (either admin or slt to
authenticate), but it’s obviously flawed and lets any username
password combination in!
def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
name == “admin” || “slt” && password == “admin” || “slt”
end
end
I’ve also tried:
def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
(name == “admin” && password == “admin”) || (name == “slt” &&
password == “slt”)
end
end
Thanks.
def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
name == “admin” || “slt” and password == “admin” || “slt”
end
end
Im pretty sure that should work. “and” is evaluated after && . They’re
now equivalent - its a ruby thing.
If it still doesnt work:
def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
(name == “admin” || “slt”) and (password == “admin” || “slt”)
end
end
I hope I understood your question correctly.
“Not” equivalent. Not “now”.
I don’t understand how I manage to make those typos. It’s not like I
forgot a letter or something - I actually use another word in place.
Strange xD
Thanks for the suggestion.
I get the same problem. Any username or password is allowed.
So I can enter ‘foo’ and no password and it let’s me in.
Odd.
johnsonmlw wrote:
[…]
I get the same problem. Any username or password is allowed.
So I can enter ‘foo’ and no password and it let’s me in.
Odd.
Not odd at all. The problem is that == binds tighter than ||, so that
user == ‘admin’ || ‘slt’
is equivalent to
(user == ‘admin’) || ‘slt’
This will return true if user is ‘admin’, or ‘slt’ in any other case.
It will never return false.
Best,
Marnen Laibow-Koser
http://www.marnen.org
[email protected]
johnsonmlw wrote:
Thanks for the suggestion.
I get the same problem. Any username or password is allowed.
So I can enter ‘foo’ and no password and it let’s me in.
Odd.
So basically…:
def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
true
end
end
?
I dont see how this can be useful to anyone though… But that might just
be me. lol
The logic is wrong. Try this:
def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
credentials = {‘admin’ => ‘admin’, ‘slt’ => ‘slt’}
credentials[name] == pasword
end
end
On your previous examples, your method was returning ‘the last thing
evaluated’ (a Ruby thing), and in your case, that happened to be
‘slt’. ‘slt’, as a string, is not false, which is why your method was
letting users in regardless of credentials.
Hardcoded credentials in any app are a terrible idea though…
def authenticateAdmin
authenticate_or_request_with_http_basic do |name, password|
[“admin”, “slt”].include?(name) and [“admin”,
“slt”].include?(password)
end
end
Or the other way to interpret what you just said. Makes more sense