Forum: Ruby on Rails very simple authenticatation

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
johnsonmlw (Guest)
on 2009-03-19 15:47
(Received via mailing list)
Could someone help me with this. It *really* only needs to be this
simple. I don't need user models or plugins etc.

I think it's clear what I'd like (either admin or slt to
authenticate), but it's obviously flawed and lets any username
password combination in!

  def authenticateAdmin
    authenticate_or_request_with_http_basic do |name, password|
      name == "admin" || "slt" && password == "admin" || "slt"
    end
  end

I've also tried:

  def authenticateAdmin
    authenticate_or_request_with_http_basic do |name, password|
      (name == "admin" && password == "admin") || (name == "slt" &&
password == "slt")
    end
  end

Thanks.
Niklas P. (Guest)
on 2009-03-19 17:27
  def authenticateAdmin
    authenticate_or_request_with_http_basic do |name, password|
      name == "admin" || "slt" and password == "admin" || "slt"
    end
  end

Im pretty sure that should work. "and" is evaluated after && . They're
now equivalent - its a ruby thing.

If it still doesnt work:

  def authenticateAdmin
    authenticate_or_request_with_http_basic do |name, password|
      (name == "admin" || "slt") and (password == "admin" || "slt")
    end
  end


I hope I understood your question correctly. :P
Niklas P. (Guest)
on 2009-03-19 17:29
"Not" equivalent. Not "now".

I don't understand how I manage to make those typos. It's not like I
forgot a letter or something - I actually use another word in place.
Strange xD
johnsonmlw (Guest)
on 2009-03-19 23:07
(Received via mailing list)
Thanks for the suggestion.

I get the same problem. *Any* username or password is allowed.

So I can enter 'foo' and no password and it let's me in.

Odd.
Marnen L. (Guest)
on 2009-03-19 23:21
johnsonmlw wrote:
[...]
> I get the same problem. *Any* username or password is allowed.
>
> So I can enter 'foo' and no password and it let's me in.
>
> Odd.

Not odd at all.  The problem is that == binds tighter than ||, so that

user == 'admin' || 'slt'

is equivalent to


(user == 'admin') || 'slt'

This will return true if user is 'admin', or 'slt' in any other case.
It will never return false.

Best,
--
Marnen Laibow-Koser
http://www.marnen.org
removed_email_address@domain.invalid
Harold (Guest)
on 2009-03-19 23:24
(Received via mailing list)
The logic is wrong. Try this:

def authenticateAdmin
    authenticate_or_request_with_http_basic do |name, password|
      credentials = {'admin' => 'admin', 'slt' => 'slt'}
      credentials[name] == pasword
    end
end

On your previous examples, your method was returning 'the last thing
evaluated' (a Ruby thing), and in your case, that happened to be
'slt'. 'slt', as a string, is not false, which is why your method was
letting users in regardless of credentials.

Hardcoded credentials in any app are a terrible idea though...
Niklas P. (Guest)
on 2009-03-19 23:38
johnsonmlw wrote:
> Thanks for the suggestion.
>
> I get the same problem. *Any* username or password is allowed.
>
> So I can enter 'foo' and no password and it let's me in.
>
> Odd.

So basically..:

  def authenticateAdmin
    authenticate_or_request_with_http_basic do |name, password|
      true
    end
  end

?

I dont see how this can be useful to anyone though.. But that might just
be me. lol
Niklas P. (Guest)
on 2009-03-19 23:43
  def authenticateAdmin
    authenticate_or_request_with_http_basic do |name, password|
      ["admin", "slt"].include?(name) and ["admin",
"slt"].include?(password)
    end
  end

Or the other way to interpret what you just said. Makes more sense :P
This topic is locked and can not be replied to.