Forum: Ruby on Rails role_requirement question

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
7bd5cba5820168467074439c6a03c76b?d=identicon&s=25 Elliott Golden (elliottg)
on 2009-04-13 18:23
(Received via mailing list)
I am using restful_authentication in combination with role_requirment.

At the beginning of the controllers that I want to have login control
over, I include

require_role "user"
require_role "admin"

For instance. If I login as either of the two roles then call a
controller it works fine. However if I do not login at all and simply
call a controller, it let's me right in. It doesn't restrict access
whatsoever. No redirect to a login page or nothing.

How do I restrict access if no user is logged in at all?

Thanks
9e8917099cbd440421bd3317af7190c7?d=identicon&s=25 Niels Nuyttens (Guest)
on 2009-04-13 18:30
(Received via mailing list)
You could use a before_filter in combination with the
AuthenticatedSystem
Module. Just add the following in your controller:
before_filter :login_required

You can also give the filter more options in case you want the login
only
for a couple of specific actions, or for all actions but one...
7bd5cba5820168467074439c6a03c76b?d=identicon&s=25 Elliott Golden (elliottg)
on 2009-04-13 20:03
(Received via mailing list)
Thanks for the input.

I tried using before_filter :login_required along with the
require_role calls but it doesn't work either.

Maybe there's a conflict between the two plugins?

Any thoughts?

Thanks
9e8917099cbd440421bd3317af7190c7?d=identicon&s=25 Niels Nuyttens (Guest)
on 2009-04-13 20:08
(Received via mailing list)
I'm using it right here in my own projects, they work alongside just
fine...
before_filter :login_required, :only => [ :change_password ]
  require_role "admin", :for => :edit, :unless => lambda { |user,params|
    return params[:id].to_i==user.id
  }
  require_role "admin", :for => [:index, :init_mailing]

Not sure where your problem could be coming from...
7bd5cba5820168467074439c6a03c76b?d=identicon&s=25 Elliott Golden (elliottg)
on 2009-04-13 20:26
(Received via mailing list)
OK good to know. I may have broken something while modifying the one
of the plugins then.

Thanks heaps Niels, that has set me in the right direction at least.

Elliott
9e8917099cbd440421bd3317af7190c7?d=identicon&s=25 Niels Nuyttens (Guest)
on 2009-04-13 21:36
(Received via mailing list)
You're most welcome,
Good luck fixing!
8fa794fe18c3b70661cd21ddd86b79ab?d=identicon&s=25 nico (Guest)
on 2009-04-14 11:04
(Received via mailing list)
Actually

require_role "user"
require_role "admin"

should be enough to protect your actions. I do it like that in my
projects.

Nico
D3fc5887a2f39f2e0c8989d39ce5e6f9?d=identicon&s=25 Bharat Ruparel (bruparel)
on 2009-04-14 13:49
(Received via mailing list)
Hello Elliott,
Are you sure that:

1.  You have these roles defined in the roles table?  and;
2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table
defines the "admin" role with a role_id = 1 then you must have a row
in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this.
Bharat
7bd5cba5820168467074439c6a03c76b?d=identicon&s=25 Elliott Golden (elliottg)
on 2009-04-14 16:21
(Received via mailing list)
I had broken r_a#before_filter :login_required by tweaking the source
to make some tests pass. That change had also altered the way the
r_r#require_role was working.

I changed the code back, and now require_role "user"  & require_role
"admin" do as they should without having to use
before_filter :login_required as well.

Thanks for the help guys!
C9e0d55c256143eb4a758c9411ef0c8d?d=identicon&s=25 Tyler Knappe (knappe)
on 2009-06-17 16:39
Bharat Ruparel wrote:
> Hello Elliott,
> Are you sure that:
>
> 1.  You have these roles defined in the roles table?  and;
> 2. There is an entry for row_id and user_id in your roles_users table?
>
> For example,
>
> If admin user has a user_id of 1 in users table and your roles table
> defines the "admin" role with a role_id = 1 then you must have a row
> in roles_users table corresponding to this combination:
>
> role_id = 1, user_id = 1
>
> Check if you have done this.
> Bharat

Sorry for resurrecting an old thread, but this situation describes
exactly the situation I have set up.  Yet I can't get the user to
authenticate as an administrator.

I have a single user who I have granted admin rights, in the
admins_users table:

| admin_id | user_id |
+----------+---------+
|        1 |       1 |

Where in the user table the user has ID = 1.  The user is also in the
admins table:

| id | name |
+----+------+
|  1 | test |

However, I am seeing this query deny the user access:

 User Columns (1.3ms)   SHOW FIELDS FROM `users`
  User Load (0.5ms)   SELECT * FROM `users` WHERE (`users`.`id` = 1)
LIMIT 1
  admins_users Columns (0.8ms)   SHOW FIELDS FROM `admins_users`
  Admin Load (1.2ms)   SELECT * FROM `admins` INNER JOIN
`admins_users` ON `admins`.id = `admins_users`.admin_id WHERE
(`admins_users`.user_id = 1 )
  Admin Columns (0.8ms)   SHOW FIELDS FROM `admins`
Filter chain halted as [:check_roles] rendered_or_redirected.

I always end up with the following text:

'You don't have access here.'

It seems like something is going wrong here:

def check_roles
      return access_denied unless self.class.<%= users_name
%>_authorized_for?(current_<%= users_name %>, params, binding)

      true
    end

However, I can't seem to discover why the user is denied access.
C9e0d55c256143eb4a758c9411ef0c8d?d=identicon&s=25 Tyler Knappe (knappe)
on 2009-06-17 19:13
> However, I can't seem to discover why the user is denied access.

Within the user model there is a method called has_role? which compares
all names in the admin table versus "admin".  If it matches then the
user is granted admin access.  I modified has_role? by passing the
user's id in as well (lib/role_requirement_system.rb line 100).  It now
compares the user's id vs the ids in the admin table.  A match grants
admin access.
This topic is locked and can not be replied to.