Forum: Ruby on Rails How to restrict access to admin part of the page?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F639e0cdf2fa098b535d6ec766b2aee1?d=identicon&s=25 Szymon Nowak (g0nzo)
on 2006-03-09 18:03
Hi!

What is the easiest way to restrict access to some part of the page?
In php i just put .htaccess and .htpasswd files in /admin folder and it
worked.
Now i've got one admin folder for controllers, one for views, public
folder and i'm not really sure if it's still possible. So what is the
easiest way? I don't have any user logging features on my site, because
i don't need them. I want only to restric access to admin area.
3319ab6fb19fcf97c8a3d66b8a9b68bf?d=identicon&s=25 Josh on Rails (Guest)
on 2006-03-09 18:17
(Received via mailing list)
On 3/9/06, szymek <g0nzo@o2.pl> wrote:
>
> I don't have any user logging features on my site, because
> i don't need them. I want only to restric access to admin area.
>

I'm not sure I follow you here. You want to restrict it to certain
users, so
it seems to me that you need some kind of user-tracking - or how do you
know
who your user is?

In any case: I'd create (or copy) a login controller, then add a
before_filter to the controller for areas you want to restrict.


-- Joshua
F639e0cdf2fa098b535d6ec766b2aee1?d=identicon&s=25 Szymon Nowak (g0nzo)
on 2006-03-09 18:38
Well, you're right, i wasn't very clear about it.

On php sites i had separate folder admin for all administration pages. I
just put there .htaccess and .htpasswd files which forced user to log to
gain access to this folder and all pages within it. That's it. I didn't
write any line of logging code (if i didn't need it of course).

Is it possible to do the same - restrict access using just .htaccess and
.htpasswd files instead of creating login controller and write a code?
119af50160cabfe1fb6f2f05f5018c64?d=identicon&s=25 James Ludlow (Guest)
on 2006-03-09 18:47
(Received via mailing list)
On 3/9/06, szymek <g0nzo@o2.pl> wrote:
> Well, you're right, i wasn't very clear about it.
>
> On php sites i had separate folder admin for all administration pages. I
> just put there .htaccess and .htpasswd files which forced user to log to
> gain access to this folder and all pages within it. That's it. I didn't
> write any line of logging code (if i didn't need it of course).
>
> Is it possible to do the same - restrict access using just .htaccess and
> .htpasswd files instead of creating login controller and write a code?

It's outstandingly simple to add authentication to an existing Rails
app.  Check out acts_as_authenticated and/or LoginEngine for a couple
of the many options available.

http://wiki.rubyonrails.com/rails/pages/Acts_as_au...
http://rails-engines.org/login_engine


-- James
F639e0cdf2fa098b535d6ec766b2aee1?d=identicon&s=25 Szymon Nowak (g0nzo)
on 2006-03-09 19:05
Thanks!

I'll probably choose acts_as_authenticated as it looks simpler.

However it still would be much simpler to create 2 small files, than
installing new plugin and creating new 'users' table, which will have
only 1 user :)
3319ab6fb19fcf97c8a3d66b8a9b68bf?d=identicon&s=25 Josh on Rails (Guest)
on 2006-03-09 20:25
(Received via mailing list)
On 3/9/06, szymek <g0nzo@o2.pl> wrote:
>
> However it still would be much simpler to create 2 small files, than
> installing new plugin and creating new 'users' table, which will have only 1
> user :)
>

1. In many cases, yes, but not all (especially shared) hosts allow
.htaccess
files, even for authentication.

2. It's not *necessary* to install a plugin, nor to create a users
table.
Those are alternatives to writing your own login controller.
F639e0cdf2fa098b535d6ec766b2aee1?d=identicon&s=25 Szymon Nowak (g0nzo)
on 2006-03-09 20:42
Maybe you're right about writing my own very simple login controller.

It would be probably faster using ruby, than installing and configuring
the plugin :)

Is it a huge security hole if i put username/(encoded)password inside my
controller?
3319ab6fb19fcf97c8a3d66b8a9b68bf?d=identicon&s=25 Josh on Rails (Guest)
on 2006-03-09 20:59
(Received via mailing list)
On 3/9/06, szymek <g0nzo@o2.pl> wrote:
>
> Is it a huge security hole if i put username/(encoded)password inside my
> controller?
>

In general? I don't think it's a huge security hole.
This topic is locked and can not be replied to.