Role_requirement question

I am using restful_authentication in combination with role_requirment.

At the beginning of the controllers that I want to have login control
over, I include

require_role “user”
require_role “admin”

For instance. If I login as either of the two roles then call a
controller it works fine. However if I do not login at all and simply
call a controller, it let’s me right in. It doesn’t restrict access
whatsoever. No redirect to a login page or nothing.

How do I restrict access if no user is logged in at all?

Thanks

You could use a before_filter in combination with the
AuthenticatedSystem
Module. Just add the following in your controller:
before_filter :login_required

You can also give the filter more options in case you want the login
only
for a couple of specific actions, or for all actions but one…

Thanks for the input.

I tried using before_filter :login_required along with the
require_role calls but it doesn’t work either.

Maybe there’s a conflict between the two plugins?

Any thoughts?

Thanks

OK good to know. I may have broken something while modifying the one
of the plugins then.

Thanks heaps Niels, that has set me in the right direction at least.

Elliott

You’re most welcome,
Good luck fixing!

I’m using it right here in my own projects, they work alongside just
fine…
before_filter :login_required, :only => [ :change_password ]
require_role “admin”, :for => :edit, :unless => lambda { |user,params|
return params[:id].to_i==user.id
}
require_role “admin”, :for => [:index, :init_mailing]

Not sure where your problem could be coming from…

Actually

require_role “user”
require_role “admin”

should be enough to protect your actions. I do it like that in my
projects.

Nico

Hello Elliott,
Are you sure that:

  1. You have these roles defined in the roles table? and;
  2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table
defines the “admin” role with a role_id = 1 then you must have a row
in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this.
Bharat

I had broken r_a#before_filter :login_required by tweaking the source
to make some tests pass. That change had also altered the way the
r_r#require_role was working.

I changed the code back, and now require_role “user” & require_role
“admin” do as they should without having to use
before_filter :login_required as well.

Thanks for the help guys!

Bharat R. wrote:

Hello Elliott,
Are you sure that:

  1. You have these roles defined in the roles table? and;
  2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table
defines the “admin” role with a role_id = 1 then you must have a row
in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this.
Bharat

Sorry for resurrecting an old thread, but this situation describes
exactly the situation I have set up. Yet I can’t get the user to
authenticate as an administrator.

I have a single user who I have granted admin rights, in the
admins_users table:

| admin_id | user_id |
±---------±--------+
| 1 | 1 |

Where in the user table the user has ID = 1. The user is also in the
admins table:

| id | name |
±—±-----+
| 1 | test |

However, I am seeing this query deny the user access:

User Columns (1.3ms) SHOW FIELDS FROM users
User Load (0.5ms) SELECT * FROM users WHERE (users.id = 1)
LIMIT 1
admins_users Columns (0.8ms) SHOW FIELDS FROM admins_users
Admin Load (1.2ms) SELECT * FROM admins INNER JOIN
admins_users ON admins.id = admins_users.admin_id WHERE
(admins_users.user_id = 1 )
Admin Columns (0.8ms) SHOW FIELDS FROM admins
Filter chain halted as [:check_roles] rendered_or_redirected.

I always end up with the following text:

‘You don’t have access here.’

It seems like something is going wrong here:

def check_roles
return access_denied unless self.class.<%= users_name
%>authorized_for?(current<%= users_name %>, params, binding)

  true
end

However, I can’t seem to discover why the user is denied access.

However, I can’t seem to discover why the user is denied access.

Within the user model there is a method called has_role? which compares
all names in the admin table versus “admin”. If it matches then the
user is granted admin access. I modified has_role? by passing the
user’s id in as well (lib/role_requirement_system.rb line 100). It now
compares the user’s id vs the ids in the admin table. A match grants
admin access.