I have a small Intranet app I’m trying to get ready for remote access.
(I only have 15 or so users for now and I don’t plan to be adding
very many more.).
I have installed the login engine and it seems to be working as
advertized. (Great job!)
For my needs I don’t want random people to be able to register and get
access to my app, but I will need to register new people every once in
a while.
Using just the login engine is there someway to restrict access to the
signup page to the existing users with logins? Or better yet just to
myself and one other person?
If not, should I consider also using the user engine and then only
providing a very basic website to anyone who registers but I have not
yet granted advanced rights to?
Thanks
Greg
Greg F.
The Norcross Group
Forensics for the 21st Century
I have a small Intranet app I’m trying to get ready for remote access.
(I only have 15 or so users for now and I don’t plan to be adding
very many more.).
I have installed the login engine and it seems to be working as
advertized. (Great job!)
For my needs I don’t want random people to be able to register and get
access to my app, but I will need to register new people every once in
a while.
Using just the login engine is there someway to restrict access to the
signup page to the existing users with logins? Or better yet just to
myself and one other person?
If not, should I consider also using the user engine and then only
providing a very basic website to anyone who registers but I have not
yet granted advanced rights to?
Thanks
Greg
Greg F.
The Norcross Group
Forensics for the 21st Century
Why not just remove the controller and associated views? or simply
comment the controller out?
I needed to do basically the exact same thing - allow the creation of
users, but not let random people just register. In my app, I create
all user accounts, so nobody actually signs up. I started off with
the LoginEngine, but realized that it did quite a bit more than I
needed in this.
I ended up just uninstalling the engine and writing my own…which
involved setting up scaffolding for the User model, and copying the
login_system.rb file. So not a whole lot of actual writing
You could also overwrite the controller to require admin rights to the
registration page. You’d have to do this with every action you don’t
want regular users to have access to though. Might be a good approach
if you anticipate opening the app up to more users in the near future,
but if not, you’re probably better off just doing it yourself.
Doesn’t take very long at all.
It should be noted that these instructions apply to the UserEngine,
which works above the LoginEngine, and of course won’t work with just
the LoginEngine installed.
For the particular problem Greg was dicussing, the LoginEngine (or
generator) provides sufficient restriction to do what he wants.
Just create your own login view and don’t add a link to register.
You will
still be able to create the users. See my article on the wiki.
But doesn’t that mean that anyone who can guess the URL of the
register action can still type it in by hand and register themselves?
Removing links doesn’t remove functionality.
Changing the permissions of the register action, so that only an
admin can reach it, seems more secure.
If you create your own /app/controllers/user_controller.rb file, and
give it the contents:
class UserController < ApplicationController
def protect?(action)
if [‘login’, ‘forgot_password’].include?(action)
return false
else
return true
end
end
end
… this will override the equivalent method within the engine,
removing your need to edit the engine. You can see this in action in
the engines demo movie[1], or in the documentation (section ‘Tweaking
Engines’ in the Engines plugin rdoc[2])
If you create your own /app/controllers/user_controller.rb file, and
give it the contents:
class UserController < ApplicationController
def protect?(action)
if [‘login’, ‘forgot_password’].include?(action)
return false
else
return true
end
end
end
… this will override the equivalent method within the engine,
removing your need to edit the engine. You can see this in action in
the engines demo movie[1], or in the documentation (section ‘Tweaking
Engines’ in the Engines plugin rdoc[2])
I see that this worked for Greg, but it isn’t working for me. If I cut
and paste the UserController code above into the named file I can still
get to the signup form and submit it (when not logged in). Is there
something I can to to try and figure out why my user_controller.rb is
not being mixed in with the one from the plugin?
The log includes:
requiring file
‘./script/…/config/…/app/controllers/user_controller.rb’
detected RAILS_ROOT, rewriting to ‘app/controllers/user_controller.rb’
checking ‘login_engine’ for
./script/…/config/…/vendor/plugins/login_engine/app/controllers/user_controller.rb
→ found, loading from engine ‘login_engine’
finally loading from application: ‘user_api.rb’
finally loading from application:
‘./script/…/config/…/app/controllers/user_controller.rb’
It sure looks like my user_controller.rb file is read, but I certainly
get to http://localhost:3000/user/signup when I doe not believe that I
should. I have tripple checked the file names, the locations of the
files, the content of the files and restarted WEBrick numerous times to
no avail.
It sure looks like my user_controller.rb file is read, but I certainly
get to http://localhost:3000/user/signup when I doe not believe that I
should. I have tripple checked the file names, the locations of the
files, the content of the files and restarted WEBrick numerous times to
no avail.
TIA,
Scott
Does your user.rb file include the LoginEngine and UserEngine libs?
It sure looks like my user_controller.rb file is read, but I certainly
get to http://localhost:3000/user/signup when I doe not believe that I
should. I have tripple checked the file names, the locations of the
files, the content of the files and restarted WEBrick numerous times to
no avail.
TIA,
Scott
Does your user.rb file include the LoginEngine and UserEngine libs?
_Kevin
I’m just using the user model supplied by LoginEngine, to my knowledge
it should not be necessary for me to define my own user model in order
achieve the desired effect - i.e. it works now, but I want to override
the protect? method so that I can restrict access even further.
In case anyone’s still having problems with controllers/helpers not
being loaded as expected, please try using the latest Engines plugin
release branch version:
I was also unable to override the protect? method in the user
controller. I have been successful in overriding other methods for
example the home method. This would lead me to believe that the user
controller that I created is being read in. Any suggestions?
Thanks,
Lorne
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
