Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
Devise
Home
+ new post
About this group
Join this group
Protecting Users::OmniauthCallbacksContro ller
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   8 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Claudio Poli  
View profile  
 More options Apr 25 2012, 8:20 am
From: Claudio Poli <masterk...@gmail.com>
Date: Wed, 25 Apr 2012 05:20:27 -0700 (PDT)
Local: Wed, Apr 25 2012 8:20 am
Subject: Protecting Users::OmniauthCallbacksController
Print | Individual message | Show original | Report this message | Find messages by this author

I'm trying to guard Users::OmniauthCallbacksController against anonymous
users.

If we take a look at lib/devise/controllers/helpers.rb in define_helpers,
authenticate_#{mapping} calls warden only if this is not a devise
controller or if force.

Since Users::OmniauthCallbacksController <
Devise::OmniauthCallbacksController is a devise controller, I though using
this:

before_filter :authenticate_user!, force: true

But it still does not have any effect. Should I start using user_signed_in?

Thanks.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Carlos Antonio da Silva  
View profile  
 More options Apr 25 2012, 8:37 am
From: Carlos Antonio da Silva <carlosantoniodasi...@gmail.com>
Date: Wed, 25 Apr 2012 09:37:03 -0300
Local: Wed, Apr 25 2012 8:37 am
Subject: Re: [devise] Protecting Users::OmniauthCallbacksController
Print | Individual message | Show original | Report this message | Find messages by this author

The main question is: why would you want to protect this controller against anonymous users? Technically it's for anonymous users to get access to your application right?

I think the best you can do to "protect" your controller, is to redirect to another place in case the omniauth hash is not present in the env - which probably means it didn't come from Facebook.

--
At.
Carlos Antonio


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Claudio Poli  
View profile  
 More options Apr 25 2012, 8:41 am
From: Claudio Poli <masterk...@gmail.com>
Date: Wed, 25 Apr 2012 14:41:58 +0200
Local: Wed, Apr 25 2012 8:41 am
Subject: Re: [devise] Protecting Users::OmniauthCallbacksController
Print | Individual message | Show original | Report this message | Find messages by this author
Hello Carlos,
in my app I let users link with third party services not for the sign in with X goal, but to enable additional features afterwards, and since we are using Devise, we find the OmniAuth integration great.
So yes, a valid user session should be required to access the custom Users::OmniauthCallbacksController controller in my case.

Cheers

Il giorno 25/apr/2012, alle ore 14:37, Carlos Antonio da Silva ha scritto:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Carlos Antonio da Silva  
View profile  
 More options Apr 25 2012, 8:55 am
From: Carlos Antonio da Silva <carlosantoniodasi...@gmail.com>
Date: Wed, 25 Apr 2012 09:55:05 -0300
Local: Wed, Apr 25 2012 8:55 am
Subject: Re: [devise] Protecting Users::OmniauthCallbacksController
Print | Individual message | Show original | Report this message | Find messages by this author

Hm ok, got it. So yeah, in theory using the normal before_filter with :force option should be the way to go I believe. What happens, do you get any error, does it redirect to somewhere else?

--
At.
Carlos Antonio


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Claudio Poli  
View profile  
 More options Apr 26 2012, 7:51 am
From: Claudio Poli <masterk...@gmail.com>
Date: Thu, 26 Apr 2012 13:51:20 +0200
Local: Thurs, Apr 26 2012 7:51 am
Subject: Re: [devise] Protecting Users::OmniauthCallbacksController
Print | Individual message | Show original | Report this message | Find messages by this author
I don't get any particular errors using the :force option on the before_filter, it just gets ignored and the controller code goes on the request like it isn't there at all.

*However* if I call via browser my http://0.0.0.0:5000/users/auth/facebook/callback it appears to redirect correctly, but spec fails so I suspect it's something with my spec.

describe Users::OmniauthCallbacksController do
  before(:each) do
    request.env["devise.mapping"] = Devise.mappings[:user]
  end
  context "when not signed in", :focus do
    it "should be redirected to user sign in" do
      User.omniauth_providers.each do |provider|
        get provider
        response.should be_redirect
        # response.code.should eq("401")
      end
    end
  end

Il giorno 25/apr/2012, alle ore 14:55, Carlos Antonio da Silva ha scritto:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Carlos Antonio da Silva  
View profile  
 More options Apr 26 2012, 8:26 am
From: Carlos Antonio da Silva <carlosantoniodasi...@gmail.com>
Date: Thu, 26 Apr 2012 09:26:28 -0300
Local: Thurs, Apr 26 2012 8:26 am
Subject: Re: [devise] Protecting Users::OmniauthCallbacksController
Print | Individual message | Show original | Report this message | Find messages by this author

Hm yeah, may be. Is this a controller/functional test? Are you using Devise::TestHelpers, right? I think I've never tested a controller for non signed in process like this, and I can't seem to spot anything wrong with your test at a glance.

What's the error, you get a success response? The action is executed normally?

--
At.
Carlos Antonio


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Claudio Poli  
View profile  
 More options Apr 26 2012, 9:25 am
From: Claudio Poli <masterk...@gmail.com>
Date: Thu, 26 Apr 2012 15:25:03 +0200
Local: Thurs, Apr 26 2012 9:25 am
Subject: Re: [devise] Protecting Users::OmniauthCallbacksController
Print | Individual message | Show original | Report this message | Find messages by this author
Yes, Devise test helpers and all the other stuff. I have this code in controller:

class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
  before_filter :authenticate_user!, force: true

  User.omniauth_providers.each do |provider|
    send :define_method, provider do
      process_callback
    end
  end

  private
  def process_callback

process_callback should not be reached if the user is not logged in but it appears to be (in specs, I tried to investigate because I was having errors in staging due to not signed in users reaching the action although a before_filter is in place).

I tried to tinker around in helpers.rb in self.define_helpers where the method authenticate_#{mapping}! is created, the spec posted previously passes if I remove the if condition from warden.authenticate!(opts); tried swapping the conditions (ruby 1.9.3-p194) but obviously it sorted no effect.

I then tried to check if for some reason opts.delete(:force) was at fault but from a quick inspection it's okay.

I suspect there is more however, still investigating what's up.

Thanks!

Il giorno 26/apr/2012, alle ore 14:26, Carlos Antonio da Silva ha scritto:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Claudio Poli  
View profile  
 More options Apr 26 2012, 10:23 am
From: Claudio Poli <masterk...@gmail.com>
Date: Thu, 26 Apr 2012 16:23:45 +0200
Local: Thurs, Apr 26 2012 10:23 am
Subject: Re: [devise] Protecting Users::OmniauthCallbacksController
Print | Individual message | Show original | Report this message | Find messages by this author
Heads up, it works by doing this in controller:

prepend_before_filter :authenticate_scope!

protected
def authenticate_scope!
  send(:"authenticate_#{resource_name}!", :force => true)
  self.resource = send(:"current_#{resource_name}")
end

Cheers

Il giorno 26/apr/2012, alle ore 14:26, Carlos Antonio da Silva ha scritto:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google