Redirection as POST to enable authentication for POST action


#1

Hi all,

I am wondering if anyone can help me or has had similar experiences
before:

I am trying to authenticate users before allowing them to access
certain actions (create, update, destroy) in my controller, e.g.
items_controller. I have done this by using a before_filter that
redirects them to a users_controller if session[:login] is nil. (e.g.
items/update/25 redirects to users/login)

What I want to do is:

  1. Preserve the original paramaters in all redirections (from items/
    update/25 to users/login, users/login to users/authenticate, and users/
    authenticate to items/update/25)
  2. To make the authentication transparent to the actions (they need
    not care/know if the incoming request is a redirection due to
    authentication or if its a normal request).

I have come up with this incomplete solution:

  1. I use flash to propagate the parameters (request.parameters) from
    items/update/25 to users/login to users/authenticate to items/update/
  2. I wasnt able to use session variables because it doesnt seem to be
    preserved across controllers (im not so sure about the reason).
  3. I manually inserted the parameters back into params by applying a
    before_filter for the actions (create, update, destroy)

The problem I have for the above solution is:

  1. Its not very transparent as I have to manually insert the
    parameters back to params, but worst of all
  2. The redirection causes the request to become a GET not a POST and I
    have to turn off the verify code (the one generated by scaffolding)
    that restricts Create, Update, and Destroy actions to POST.

Does anyone have any advice for the above?

Best regards,

Jesse P.


#2

See how restful_authentication plugin does it.

Check #store_location in
http://svn.techno-weenie.net/projects/plugins/restful_authentication/generators/authenticated/templates/authenticated_system.rb

On 8/3/07, Jesse P. removed_email_address@domain.invalid wrote:

items/update/25 redirects to users/login)

  1. I use flash to propagate the parameters (request.parameters) from
    have to turn off the verify code (the one generated by scaffolding)


Cheers!


#3

Hi Pratik,

I have read the code you mentioned and I doesnt even seem to save the
parameters, yet along handle POST. It merely does redirect_to from a
saved URI.

Best regards,

Jesse


#4

Hi Shai,

Thanks for your comments. For the parameters, I am now using session
variables and it works across controllers (im not sure why it didnt
work the other time). But as for acts_as_authenticated, I have seen
the code and it doesnt store any parameters from the original request.
It merely stores the URI. After authentication, it redirects to the
saved URI in the session variable. There are 2 problems with this:

  1. I want to be able to save the parameters from the original request
  2. I want to redirect as POST not GET to the original URI

In light of the above, I dont think acts_as_authenticated will work
for me. In your experience, do you have any other possible
suggestions?

Thanks,

Jesse

On Aug 5, 7:02 pm, Shai R. removed_email_address@domain.invalid


#5

Hi Jesse,

i don’t think you should be having the problems you’re having … an
authenticated system is pretty straight-forward, and i think all the
answers to your problems shouldn’t be too hard to catch, if using you’re
using

http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated

there are docs and all…
if you are using this, and are still having trouble, maybe you should
paste some code so we can dig in a little bit to as what the exact
problem is:

*) passing variables via flash, is a pretty bad practice… i personally
wouldn’t do that
*) session variables should definitely be passed through controllers, so
that problem is probably more technical rather than a RoR problem. maybe
u should post some code


#6

I’m interested in this too. Something like this can occur if a user
starts a form while authenticated, but then submits it after their
authentication has timed out. I want to be able to reauthenticate them
with a minimum of fuss and get back to handling their POST without
making them start the form over again or back-button back to the form.

One possibility is to have the action allow GET requests in which case
it looks in the session to see if there’s data intended for that action.
But you’d have to do this for every single form-handling action.

Maybe it could be handled in ActionController’s before_filter: if a GET
request’s action matches the name of the action stored in the session
data as the intended target for the session’s stored POST data, then
stuff that session data into params.

I’m a little concerned about such session data getting orphaned or
stale. If the user failed to authenticate, or just wandered off
somewhere else, how would that session data get removed? What happens if
they start the form over differently with old form data still sitting in
their session?

I don’t think there’s a way to redirect as a POST request. A redirect is
just a message to the user’s browser saying, hey, this page has moved,
here’s the new address, and it’s up to the browser to decide what to do,
and they all just submit GET requests for the new page.

This issue seems like such an obvious thing, that it makes me worried
that there isn’t an obvious rails pattern or plug-in for this. Maybe
other designers are punting on this or designing apps in such a way that
it never comes up.


#7

This issue seems like such an obvious thing, that it makes me worried
that there isn’t an obvious rails pattern or plug-in for this. Maybe
other designers are punting on this or designing apps in such a way that
it never comes up.

Bingo, check out the restful_authentication plugin.

http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated
http://svn.techno-weenie.net/projects/plugins/restful_authentication/
http://svn.techno-weenie.net/projects/plugins/acts_as_authenticated/


Rick O.
http://lighthouseapp.com
http://weblog.techno-weenie.net
http://mephistoblog.com


#8

Rick,

I looked at restful_authentication (just your second link). I see it
storing the url to redirect back to after authentication
(authenticated_system.rb#login_required -> access_denied ->
store_location), but I don’t see it storing POST data (params) for later
use. Where does that happen?