Forum: Ruby on Rails LoginEngine / UserEngine conceptual help

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
25bbc96d9c53647354cb724e744b2222?d=identicon&s=25 Greg Freemyer (Guest)
on 2006-01-17 01:42
(Received via mailing list)
All,

I have a small Intranet app I'm trying to get ready for remote access.
 (I only have 15 or so users for now and I don't plan to be adding
very many more.).

I have installed the login engine and it seems to be working as
advertized.  (Great job!)

For my needs I don't want random people to be able to register and get
access to my app, but I will need to register new people every once in
a while.

Using just the login engine is there someway to restrict access to the
signup page to the existing users with logins?  Or better yet just to
myself and one other person?

If not, should I consider also using the user engine and then only
providing a very basic website to anyone who registers but I have not
yet granted advanced rights to?

Thanks
Greg
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
0895305feb2b97049c39b08972233d02?d=identicon&s=25 Anthony Rudgick (Guest)
on 2006-01-17 11:41
Greg Freemyer wrote:
> All,
>
> I have a small Intranet app I'm trying to get ready for remote access.
>  (I only have 15 or so users for now and I don't plan to be adding
> very many more.).
>
> I have installed the login engine and it seems to be working as
> advertized.  (Great job!)
>
> For my needs I don't want random people to be able to register and get
> access to my app, but I will need to register new people every once in
> a while.
>
> Using just the login engine is there someway to restrict access to the
> signup page to the existing users with logins?  Or better yet just to
> myself and one other person?
>
> If not, should I consider also using the user engine and then only
> providing a very basic website to anyone who registers but I have not
> yet granted advanced rights to?
>
> Thanks
> Greg
> --
> Greg Freemyer
> The Norcross Group
> Forensics for the 21st Century

Why not just remove the controller and associated views? or simply
comment the controller out?

just an idea

-A
0895305feb2b97049c39b08972233d02?d=identicon&s=25 Anthony Rudgick (Guest)
on 2006-01-17 11:59
7e5be8d0d2537a6f6f00aada5541881e?d=identicon&s=25 Steve Ross (Guest)
on 2006-01-21 15:40
(Received via mailing list)
Just create your own login view and don't add a link to register. You
will
still be able to create the users. See my article on the wiki.

http://wiki.rubyonrails.com/rails/pages/HowToUseUserEngine

The method you will use for creating users is:

/user/new

Hope this works for you.
25bbc96d9c53647354cb724e744b2222?d=identicon&s=25 Greg Freemyer (Guest)
on 2006-01-21 15:40
(Received via mailing list)
Okay newbie question.

When you say create my own view for user/login, do I do that under
vendor/plugins/....

Or do I do that in app/views/user/login.rhtml ?

I don't currently have any user stuff in my app directory, only in the
vendor/plugins directory.

I'm concerned that any changes I make to vendor/plugins will be lost
if I upgrade the engine.

Thanks
Greg
On 1/16/06, Steve Ross <sross@calicowebdesigns.com> wrote:
>
> > advertized.  (Great job!)
> > providing a very basic website to anyone who registers but I have not
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
42172acdf3c6046f84d644cb0b94642c?d=identicon&s=25 Pat Maddox (pergesu)
on 2006-01-21 15:40
(Received via mailing list)
I needed to do basically the exact same thing - allow the creation of
users, but not let random people just register.  In my app, I create
all user accounts, so nobody actually signs up.  I started off with
the LoginEngine, but realized that it did quite a bit more than I
needed in this.

I ended up just uninstalling the engine and writing my own..which
involved setting up scaffolding for the User model, and copying the
login_system.rb file.  So not a whole lot of actual writing :)

You could also overwrite the controller to require admin rights to the
registration page.  You'd have to do this with every action you don't
want regular users to have access to though.  Might be a good approach
if you anticipate opening the app up to more users in the near future,
but if not, you're probably better off just doing it yourself.
Doesn't take very long at all.

Pat
05d703f649ef1d07e78d7b479fb4c4ac?d=identicon&s=25 James Adam (Guest)
on 2006-01-21 15:40
(Received via mailing list)
It should be noted that these instructions apply to the UserEngine,
which works above the LoginEngine, and of course won't work with just
the LoginEngine installed.

For the particular problem Greg was dicussing, the LoginEngine (or
generator) provides sufficient restriction to do what he wants.

- james
7e5be8d0d2537a6f6f00aada5541881e?d=identicon&s=25 Steve Ross (Guest)
on 2006-01-21 15:44
(Received via mailing list)
Do it in your app/view/user/login.rhtml. You'll have to mirror the one
that
is in the plugin's directory, but take out what you don't want.

You're right, it's not a good idea to mess with the plugin's code lest
your
work be lost in an upgrade.
25bbc96d9c53647354cb724e744b2222?d=identicon&s=25 Greg Freemyer (Guest)
on 2006-01-21 15:44
(Received via mailing list)
I think I'll try to keep the engine because I have no idea how much
this site will expand in the future.

Based on you comments I found the "protect" method in
user_controller.rb and simply removed "signup' from the list of pages
random people can get to.

Now only someone logged in can access the signup page.  I now just
need to add a link to the signup page from one of my normal pages and
I'm done.

I think the only negative with what I did is I modified the core
engine code so if I ever update it to a new version my change will be
lost.

If there is a more maintable method I'd like to hear about it.

Thanks
Greg
On 1/16/06, Pat Maddox <pergesu@gmail.com> wrote:
> You could also overwrite the controller to require admin rights to the
> > All,
> > a while.
> > Greg
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
Edbd5f1c2f535b14165ae883fa7c3f37?d=identicon&s=25 Jens Alfke (Guest)
on 2006-01-21 15:44
(Received via mailing list)
On 16 Jan '06, at 2:34 PM, Steve Ross wrote:

> Just create your own login view and don't add a link to register.
> You will
> still be able to create the users. See my article on the wiki.

But doesn't that mean that anyone who can guess the URL of the
register action can still type it in by hand and register themselves?
Removing links doesn't remove functionality.

Changing the permissions of the register action, so that only an
admin can reach it, seems more secure.

--Jens
05d703f649ef1d07e78d7b479fb4c4ac?d=identicon&s=25 James Adam (Guest)
on 2006-01-21 15:44
(Received via mailing list)
If you create your own /app/controllers/user_controller.rb file, and
give it the contents:

class UserController < ApplicationController
  def protect?(action)
    if ['login', 'forgot_password'].include?(action)
      return false
    else
      return true
    end
  end
end

... this will override the equivalent method within the engine,
removing your need to edit the engine. You can see this in action in
the engines demo movie[1], or in the documentation (section 'Tweaking
Engines' in the Engines plugin rdoc[2])

- james

[1] http://rails-engines.rubyforge.org/movies/engines_intro.mov
[2] http://api.rails-engines.org/engines/
25bbc96d9c53647354cb724e744b2222?d=identicon&s=25 Greg Freemyer (Guest)
on 2006-01-21 15:44
(Received via mailing list)
That works perfectly.

I also created a new /app/view/user/login.rhtml and removed the link.

This is my first exposure to engines and I'm very impressed.

Greg

On 1/16/06, James Adam <james.adam@gmail.com> wrote:
>   end
> [2] http://api.rails-engines.org/engines/
> > need to add a link to the signup page from one of my normal pages and
> > On 1/16/06, Pat Maddox <pergesu@gmail.com> wrote:
> > > You could also overwrite the controller to require admin rights to the
> > > > All,
> > > > a while.
> > > > Greg
> > > Rails mailing list
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
Ce472655bd6e818fe8b5fd0ae57e45af?d=identicon&s=25 Scott Eade (seade)
on 2006-01-23 06:37
James Adam wrote:
> If you create your own /app/controllers/user_controller.rb file, and
> give it the contents:
>
> class UserController < ApplicationController
>   def protect?(action)
>     if ['login', 'forgot_password'].include?(action)
>       return false
>     else
>       return true
>     end
>   end
> end
>
> ... this will override the equivalent method within the engine,
> removing your need to edit the engine. You can see this in action in
> the engines demo movie[1], or in the documentation (section 'Tweaking
> Engines' in the Engines plugin rdoc[2])
>
> - james
>
> [1] http://rails-engines.rubyforge.org/movies/engines_intro.mov
> [2] http://api.rails-engines.org/engines/

I see that this worked for Greg, but it isn't working for me.  If I cut
and paste the UserController code above into the named file I can still
get to the signup form and submit it (when not logged in).  Is there
something I can to to try and figure out why my user_controller.rb is
not being mixed in with the one from the plugin?

The log includes:
requiring file
'./script/../config/../app/controllers/user_controller.rb'
detected RAILS_ROOT, rewriting to 'app/controllers/user_controller.rb'
checking 'login_engine' for
./script/../config/../vendor/plugins/login_engine/app/controllers/user_controller.rb
--> found, loading from engine 'login_engine'
finally loading from application: 'user_api.rb'
finally loading from application:
'./script/../config/../app/controllers/user_controller.rb'

It sure looks like my user_controller.rb file is read, but I certainly
get to http://localhost:3000/user/signup when I doe not believe that I
should.  I have tripple checked the file names, the locations of the
files, the content of the files and restarted WEBrick numerous times to
no avail.

TIA,
Scott
C8a634a01a2c4508360874bff7fb1a7f?d=identicon&s=25 Kevin Olbrich (olbrich)
on 2006-01-23 06:43
Scott Eade wrote:
> It sure looks like my user_controller.rb file is read, but I certainly
> get to http://localhost:3000/user/signup when I doe not believe that I
> should.  I have tripple checked the file names, the locations of the
> files, the content of the files and restarted WEBrick numerous times to
> no avail.
>
> TIA,
> Scott

Does your user.rb file include the LoginEngine and UserEngine libs?

_Kevin
Ce472655bd6e818fe8b5fd0ae57e45af?d=identicon&s=25 Scott Eade (seade)
on 2006-01-23 07:21
Kevin Olbrich wrote:
> Scott Eade wrote:
>> It sure looks like my user_controller.rb file is read, but I certainly
>> get to http://localhost:3000/user/signup when I doe not believe that I
>> should.  I have tripple checked the file names, the locations of the
>> files, the content of the files and restarted WEBrick numerous times to
>> no avail.
>>
>> TIA,
>> Scott
>
> Does your user.rb file include the LoginEngine and UserEngine libs?
>
> _Kevin

I'm just using the user model supplied by LoginEngine, to my knowledge
it should not be necessary for me to define my own user model in order
achieve the desired effect - i.e. it works now, but I want to override
the protect? method so that I can restrict access even further.

Scott
05d703f649ef1d07e78d7b479fb4c4ac?d=identicon&s=25 James Adam (Guest)
on 2006-01-25 17:57
(Received via mailing list)
In case anyone's still having problems with controllers/helpers not
being loaded as expected, please try using the latest Engines plugin
release branch version:

  http://opensvn.csie.org/rails_engines/engines/bran...

...give me feedback on the relevant thread on engines-developers, if
you're having problems. Cheers!

- james
E2eff7622147bced196329886cd70df4?d=identicon&s=25 Lorne Benore (Guest)
on 2006-01-29 02:55
(Received via mailing list)
I was also unable to override the protect? method in the user
controller. I have been successful in overriding other methods for
example the home method. This would lead me to believe that the user
controller that I created is being read in. Any suggestions?

Thanks,
Lorne
7e5be8d0d2537a6f6f00aada5541881e?d=identicon&s=25 Steve Ross (Guest)
on 2006-02-24 18:45
(Received via mailing list)
Good point. See James¹s post earlier. In addition, you can override
login in
your /app/controllers/user_controller.rb to

flash[:error] = ³no way, dude²
redirect_to :action => �index¹

Right?
This topic is locked and can not be replied to.