Forum: Ruby on Rails role_requirement question

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Elliott G. (Guest)
on 2009-04-13 20:23
(Received via mailing list)
I am using restful_authentication in combination with role_requirment.

At the beginning of the controllers that I want to have login control
over, I include

require_role "user"
require_role "admin"

For instance. If I login as either of the two roles then call a
controller it works fine. However if I do not login at all and simply
call a controller, it let's me right in. It doesn't restrict access
whatsoever. No redirect to a login page or nothing.

How do I restrict access if no user is logged in at all?

Thanks
Niels Nuyttens (Guest)
on 2009-04-13 20:30
(Received via mailing list)
You could use a before_filter in combination with the
AuthenticatedSystem
Module. Just add the following in your controller:
before_filter :login_required

You can also give the filter more options in case you want the login
only
for a couple of specific actions, or for all actions but one...
Elliott G. (Guest)
on 2009-04-13 22:03
(Received via mailing list)
Thanks for the input.

I tried using before_filter :login_required along with the
require_role calls but it doesn't work either.

Maybe there's a conflict between the two plugins?

Any thoughts?

Thanks
Niels Nuyttens (Guest)
on 2009-04-13 22:08
(Received via mailing list)
I'm using it right here in my own projects, they work alongside just
fine...
before_filter :login_required, :only => [ :change_password ]
  require_role "admin", :for => :edit, :unless => lambda { |user,params|
    return params[:id].to_i==user.id
  }
  require_role "admin", :for => [:index, :init_mailing]

Not sure where your problem could be coming from...
Elliott G. (Guest)
on 2009-04-13 22:26
(Received via mailing list)
OK good to know. I may have broken something while modifying the one
of the plugins then.

Thanks heaps Niels, that has set me in the right direction at least.

Elliott
Niels Nuyttens (Guest)
on 2009-04-13 23:36
(Received via mailing list)
You're most welcome,
Good luck fixing!
nico (Guest)
on 2009-04-14 13:04
(Received via mailing list)
Actually

require_role "user"
require_role "admin"

should be enough to protect your actions. I do it like that in my
projects.

Nico
Bharat R. (Guest)
on 2009-04-14 15:49
(Received via mailing list)
Hello Elliott,
Are you sure that:

1.  You have these roles defined in the roles table?  and;
2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table
defines the "admin" role with a role_id = 1 then you must have a row
in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this.
Bharat
Elliott G. (Guest)
on 2009-04-14 18:21
(Received via mailing list)
I had broken r_a#before_filter :login_required by tweaking the source
to make some tests pass. That change had also altered the way the
r_r#require_role was working.

I changed the code back, and now require_role "user"  & require_role
"admin" do as they should without having to use
before_filter :login_required as well.

Thanks for the help guys!
Tyler K. (Guest)
on 2009-06-17 18:39
Bharat R. wrote:
> Hello Elliott,
> Are you sure that:
>
> 1.  You have these roles defined in the roles table?  and;
> 2. There is an entry for row_id and user_id in your roles_users table?
>
> For example,
>
> If admin user has a user_id of 1 in users table and your roles table
> defines the "admin" role with a role_id = 1 then you must have a row
> in roles_users table corresponding to this combination:
>
> role_id = 1, user_id = 1
>
> Check if you have done this.
> Bharat

Sorry for resurrecting an old thread, but this situation describes
exactly the situation I have set up.  Yet I can't get the user to
authenticate as an administrator.

I have a single user who I have granted admin rights, in the
admins_users table:

| admin_id | user_id |
+----------+---------+
|        1 |       1 |

Where in the user table the user has ID = 1.  The user is also in the
admins table:

| id | name |
+----+------+
|  1 | test |

However, I am seeing this query deny the user access:

 User Columns (1.3ms)   SHOW FIELDS FROM `users`
  User Load (0.5ms)   SELECT * FROM `users` WHERE (`users`.`id` = 1)
LIMIT 1
  admins_users Columns (0.8ms)   SHOW FIELDS FROM `admins_users`
  Admin Load (1.2ms)   SELECT * FROM `admins` INNER JOIN
`admins_users` ON `admins`.id = `admins_users`.admin_id WHERE
(`admins_users`.user_id = 1 )
  Admin Columns (0.8ms)   SHOW FIELDS FROM `admins`
Filter chain halted as [:check_roles] rendered_or_redirected.

I always end up with the following text:

'You don't have access here.'

It seems like something is going wrong here:

def check_roles
      return access_denied unless self.class.<%= users_name
%>_authorized_for?(current_<%= users_name %>, params, binding)

      true
    end

However, I can't seem to discover why the user is denied access.
Tyler K. (Guest)
on 2009-06-17 21:13
> However, I can't seem to discover why the user is denied access.

Within the user model there is a method called has_role? which compares
all names in the admin table versus "admin".  If it matches then the
user is granted admin access.  I modified has_role? by passing the
user's id in as well (lib/role_requirement_system.rb line 100).  It now
compares the user's id vs the ids in the admin table.  A match grants
admin access.
This topic is locked and can not be replied to.