LoginEngine / UserEngine conceptual help


#1

All,

I have a small Intranet app I’m trying to get ready for remote access.
(I only have 15 or so users for now and I don’t plan to be adding
very many more.).

I have installed the login engine and it seems to be working as
advertized. (Great job!)

For my needs I don’t want random people to be able to register and get
access to my app, but I will need to register new people every once in
a while.

Using just the login engine is there someway to restrict access to the
signup page to the existing users with logins? Or better yet just to
myself and one other person?

If not, should I consider also using the user engine and then only
providing a very basic website to anyone who registers but I have not
yet granted advanced rights to?

Thanks
Greg

Greg F.
The Norcross Group
Forensics for the 21st Century


#2

Greg F. wrote:

All,

I have a small Intranet app I’m trying to get ready for remote access.
(I only have 15 or so users for now and I don’t plan to be adding
very many more.).

I have installed the login engine and it seems to be working as
advertized. (Great job!)

For my needs I don’t want random people to be able to register and get
access to my app, but I will need to register new people every once in
a while.

Using just the login engine is there someway to restrict access to the
signup page to the existing users with logins? Or better yet just to
myself and one other person?

If not, should I consider also using the user engine and then only
providing a very basic website to anyone who registers but I have not
yet granted advanced rights to?

Thanks
Greg

Greg F.
The Norcross Group
Forensics for the 21st Century

Why not just remove the controller and associated views? or simply
comment the controller out?

just an idea

-A


#3

or set up roles a la
http://wiki.rubyonrails.com/rails/pages/LoginGeneratorAccessControlList

-A


#4

Okay newbie question.

When you say create my own view for user/login, do I do that under
vendor/plugins/…

Or do I do that in app/views/user/login.rhtml ?

I don’t currently have any user stuff in my app directory, only in the
vendor/plugins directory.

I’m concerned that any changes I make to vendor/plugins will be lost
if I upgrade the engine.

Thanks
Greg
On 1/16/06, Steve R. removed_email_address@domain.invalid wrote:

advertized. (Great job!)
providing a very basic website to anyone who registers but I have not


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Greg F.
The Norcross Group
Forensics for the 21st Century


#5

Just create your own login view and don’t add a link to register. You
will
still be able to create the users. See my article on the wiki.

http://wiki.rubyonrails.com/rails/pages/HowToUseUserEngine

The method you will use for creating users is:

/user/new

Hope this works for you.


#6

I needed to do basically the exact same thing - allow the creation of
users, but not let random people just register. In my app, I create
all user accounts, so nobody actually signs up. I started off with
the LoginEngine, but realized that it did quite a bit more than I
needed in this.

I ended up just uninstalling the engine and writing my own…which
involved setting up scaffolding for the User model, and copying the
login_system.rb file. So not a whole lot of actual writing :slight_smile:

You could also overwrite the controller to require admin rights to the
registration page. You’d have to do this with every action you don’t
want regular users to have access to though. Might be a good approach
if you anticipate opening the app up to more users in the near future,
but if not, you’re probably better off just doing it yourself.
Doesn’t take very long at all.

Pat


#7

Do it in your app/view/user/login.rhtml. You’ll have to mirror the one
that
is in the plugin’s directory, but take out what you don’t want.

You’re right, it’s not a good idea to mess with the plugin’s code lest
your
work be lost in an upgrade.


#8

It should be noted that these instructions apply to the UserEngine,
which works above the LoginEngine, and of course won’t work with just
the LoginEngine installed.

For the particular problem Greg was dicussing, the LoginEngine (or
generator) provides sufficient restriction to do what he wants.

  • james

#9

I think I’ll try to keep the engine because I have no idea how much
this site will expand in the future.

Based on you comments I found the “protect” method in
user_controller.rb and simply removed "signup’ from the list of pages
random people can get to.

Now only someone logged in can access the signup page. I now just
need to add a link to the signup page from one of my normal pages and
I’m done.

I think the only negative with what I did is I modified the core
engine code so if I ever update it to a new version my change will be
lost.

If there is a more maintable method I’d like to hear about it.

Thanks
Greg
On 1/16/06, Pat M. removed_email_address@domain.invalid wrote:

You could also overwrite the controller to require admin rights to the

All,
a while.
Greg
Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Greg F.
The Norcross Group
Forensics for the 21st Century


#10

On 16 Jan '06, at 2:34 PM, Steve R. wrote:

Just create your own login view and don’t add a link to register.
You will
still be able to create the users. See my article on the wiki.

But doesn’t that mean that anyone who can guess the URL of the
register action can still type it in by hand and register themselves?
Removing links doesn’t remove functionality.

Changing the permissions of the register action, so that only an
admin can reach it, seems more secure.

–Jens


#11

That works perfectly.

I also created a new /app/view/user/login.rhtml and removed the link.

This is my first exposure to engines and I’m very impressed.

Greg

On 1/16/06, James A. removed_email_address@domain.invalid wrote:

end
[2] http://api.rails-engines.org/engines/

need to add a link to the signup page from one of my normal pages and
On 1/16/06, Pat M. removed_email_address@domain.invalid wrote:

You could also overwrite the controller to require admin rights to the

All,
a while.
Greg
Rails mailing list
Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Greg F.
The Norcross Group
Forensics for the 21st Century


#12

If you create your own /app/controllers/user_controller.rb file, and
give it the contents:

class UserController < ApplicationController
def protect?(action)
if [‘login’, ‘forgot_password’].include?(action)
return false
else
return true
end
end
end

… this will override the equivalent method within the engine,
removing your need to edit the engine. You can see this in action in
the engines demo movie[1], or in the documentation (section ‘Tweaking
Engines’ in the Engines plugin rdoc[2])

  • james

[1] http://rails-engines.rubyforge.org/movies/engines_intro.mov
[2] http://api.rails-engines.org/engines/


#13

James A. wrote:

If you create your own /app/controllers/user_controller.rb file, and
give it the contents:

class UserController < ApplicationController
def protect?(action)
if [‘login’, ‘forgot_password’].include?(action)
return false
else
return true
end
end
end

… this will override the equivalent method within the engine,
removing your need to edit the engine. You can see this in action in
the engines demo movie[1], or in the documentation (section ‘Tweaking
Engines’ in the Engines plugin rdoc[2])

  • james

[1] http://rails-engines.rubyforge.org/movies/engines_intro.mov
[2] http://api.rails-engines.org/engines/

I see that this worked for Greg, but it isn’t working for me. If I cut
and paste the UserController code above into the named file I can still
get to the signup form and submit it (when not logged in). Is there
something I can to to try and figure out why my user_controller.rb is
not being mixed in with the one from the plugin?

The log includes:
requiring file
‘./script/…/config/…/app/controllers/user_controller.rb’
detected RAILS_ROOT, rewriting to ‘app/controllers/user_controller.rb’
checking ‘login_engine’ for
./script/…/config/…/vendor/plugins/login_engine/app/controllers/user_controller.rb
–> found, loading from engine ‘login_engine’
finally loading from application: ‘user_api.rb’
finally loading from application:
‘./script/…/config/…/app/controllers/user_controller.rb’

It sure looks like my user_controller.rb file is read, but I certainly
get to http://localhost:3000/user/signup when I doe not believe that I
should. I have tripple checked the file names, the locations of the
files, the content of the files and restarted WEBrick numerous times to
no avail.

TIA,
Scott


#14

Scott Eade wrote:

It sure looks like my user_controller.rb file is read, but I certainly
get to http://localhost:3000/user/signup when I doe not believe that I
should. I have tripple checked the file names, the locations of the
files, the content of the files and restarted WEBrick numerous times to
no avail.

TIA,
Scott

Does your user.rb file include the LoginEngine and UserEngine libs?

_Kevin


#15

Kevin O. wrote:

Scott Eade wrote:

It sure looks like my user_controller.rb file is read, but I certainly
get to http://localhost:3000/user/signup when I doe not believe that I
should. I have tripple checked the file names, the locations of the
files, the content of the files and restarted WEBrick numerous times to
no avail.

TIA,
Scott

Does your user.rb file include the LoginEngine and UserEngine libs?

_Kevin

I’m just using the user model supplied by LoginEngine, to my knowledge
it should not be necessary for me to define my own user model in order
achieve the desired effect - i.e. it works now, but I want to override
the protect? method so that I can restrict access even further.

Scott


#16

In case anyone’s still having problems with controllers/helpers not
being loaded as expected, please try using the latest Engines plugin
release branch version:

http://opensvn.csie.org/rails_engines/engines/branches/rb_1.0

…give me feedback on the relevant thread on engines-developers, if
you’re having problems. Cheers!

  • james

#17

Good point. See James¹s post earlier. In addition, you can override
login in
your /app/controllers/user_controller.rb to

flash[:error] = ³no way, dude²
redirect_to :action => �index¹

Right?


#18

I was also unable to override the protect? method in the user
controller. I have been successful in overriding other methods for
example the home method. This would lead me to believe that the user
controller that I created is being read in. Any suggestions?

Thanks,
Lorne