Role_requirement question


#1

I am using restful_authentication in combination with role_requirment.

At the beginning of the controllers that I want to have login control
over, I include

require_role “user”
require_role “admin”

For instance. If I login as either of the two roles then call a
controller it works fine. However if I do not login at all and simply
call a controller, it let’s me right in. It doesn’t restrict access
whatsoever. No redirect to a login page or nothing.

How do I restrict access if no user is logged in at all?

Thanks


#2

You could use a before_filter in combination with the
AuthenticatedSystem
Module. Just add the following in your controller:
before_filter :login_required

You can also give the filter more options in case you want the login
only
for a couple of specific actions, or for all actions but one…


#3

Thanks for the input.

I tried using before_filter :login_required along with the
require_role calls but it doesn’t work either.

Maybe there’s a conflict between the two plugins?

Any thoughts?

Thanks


#4

OK good to know. I may have broken something while modifying the one
of the plugins then.

Thanks heaps Niels, that has set me in the right direction at least.

Elliott


#5

You’re most welcome,
Good luck fixing!


#6

I’m using it right here in my own projects, they work alongside just
fine…
before_filter :login_required, :only => [ :change_password ]
require_role “admin”, :for => :edit, :unless => lambda { |user,params|
return params[:id].to_i==user.id
}
require_role “admin”, :for => [:index, :init_mailing]

Not sure where your problem could be coming from…


#7

Actually

require_role “user”
require_role “admin”

should be enough to protect your actions. I do it like that in my
projects.

Nico


#8

Hello Elliott,
Are you sure that:

  1. You have these roles defined in the roles table? and;
  2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table
defines the “admin” role with a role_id = 1 then you must have a row
in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this.
Bharat


#9

I had broken r_a#before_filter :login_required by tweaking the source
to make some tests pass. That change had also altered the way the
r_r#require_role was working.

I changed the code back, and now require_role “user” & require_role
“admin” do as they should without having to use
before_filter :login_required as well.

Thanks for the help guys!


#10

Bharat R. wrote:

Hello Elliott,
Are you sure that:

  1. You have these roles defined in the roles table? and;
  2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table
defines the “admin” role with a role_id = 1 then you must have a row
in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this.
Bharat

Sorry for resurrecting an old thread, but this situation describes
exactly the situation I have set up. Yet I can’t get the user to
authenticate as an administrator.

I have a single user who I have granted admin rights, in the
admins_users table:

| admin_id | user_id |
±---------±--------+
| 1 | 1 |

Where in the user table the user has ID = 1. The user is also in the
admins table:

| id | name |
±—±-----+
| 1 | test |

However, I am seeing this query deny the user access:

User Columns (1.3ms) SHOW FIELDS FROM users
User Load (0.5ms) SELECT * FROM users WHERE (users.id = 1)
LIMIT 1
admins_users Columns (0.8ms) SHOW FIELDS FROM admins_users
Admin Load (1.2ms) SELECT * FROM admins INNER JOIN
admins_users ON admins.id = admins_users.admin_id WHERE
(admins_users.user_id = 1 )
Admin Columns (0.8ms) SHOW FIELDS FROM admins
Filter chain halted as [:check_roles] rendered_or_redirected.

I always end up with the following text:

‘You don’t have access here.’

It seems like something is going wrong here:

def check_roles
return access_denied unless self.class.<%= users_name
%>authorized_for?(current<%= users_name %>, params, binding)

  true
end

However, I can’t seem to discover why the user is denied access.


#11

However, I can’t seem to discover why the user is denied access.

Within the user model there is a method called has_role? which compares
all names in the admin table versus “admin”. If it matches then the
user is granted admin access. I modified has_role? by passing the
user’s id in as well (lib/role_requirement_system.rb line 100). It now
compares the user’s id vs the ids in the admin table. A match grants
admin access.