Devise gem User Authentication
46 views
Skip to first unread message
Mohammed Rashid
Oct 6, 2014, 6:53:58 AM10/6/14
to rubyonra...@googlegroups.com
This is my code for my index.html.erb scaffold
as you can see the if else stops a user to "show, edit or destroy" the
entries. However, they can create a new Rota entry by clicking New
Rotum. I can get rid of the admin part in Show, edit, destroy and
everyone will be able to do everything. But I want a user to be able to
only show edit destroy their OWN entry and not everyone elses too
because that is what happens when I authenticate a user to do this?
<h1>Listing rota</h1>
<table id = "tabletest">
<thead>
<tr>
<th>Name</th>
<th>Mobile</th>
<th>Email</th>
<th>Category</th>
<th>Other</th>
<th colspan="3"></th>
</tr>
</thead>
<tbody>
<% @rota.each do |rotum| %>
<tr>
<td><%= rotum.name %></td>
<td><%= rotum.mobile %></td>
<td><%= rotum.email %></td>
<td><%= rotum.category %></td>
<td><%= rotum.other %></td>
<% if current_user.try(:admin?) %>
<td><%= link_to 'Show', rotum %></td>
<td><%= link_to 'Edit', edit_rotum_path(rotum) %></td>
<td><%= link_to 'Destroy', rotum, method: :delete, data: {
confirm: 'Are you sure?' } %></td>
</tr>
<% end %>
<% end %>
</tbody>
</table>
<br>
<% if user_session %>
<%= link_to 'New Rotum', new_rotum_path %>
<% end %>
--
Posted via http://www.ruby-forum.com/.
as you can see the if else stops a user to "show, edit or destroy" the
entries. However, they can create a new Rota entry by clicking New
Rotum. I can get rid of the admin part in Show, edit, destroy and
everyone will be able to do everything. But I want a user to be able to
only show edit destroy their OWN entry and not everyone elses too
because that is what happens when I authenticate a user to do this?
<h1>Listing rota</h1>
<table id = "tabletest">
<thead>
<tr>
<th>Name</th>
<th>Mobile</th>
<th>Email</th>
<th>Category</th>
<th>Other</th>
<th colspan="3"></th>
</tr>
</thead>
<tbody>
<% @rota.each do |rotum| %>
<tr>
<td><%= rotum.name %></td>
<td><%= rotum.mobile %></td>
<td><%= rotum.email %></td>
<td><%= rotum.category %></td>
<td><%= rotum.other %></td>
<% if current_user.try(:admin?) %>
<td><%= link_to 'Show', rotum %></td>
<td><%= link_to 'Edit', edit_rotum_path(rotum) %></td>
<td><%= link_to 'Destroy', rotum, method: :delete, data: {
confirm: 'Are you sure?' } %></td>
</tr>
<% end %>
<% end %>
</tbody>
</table>
<br>
<% if user_session %>
<%= link_to 'New Rotum', new_rotum_path %>
<% end %>
--
Posted via http://www.ruby-forum.com/.
Jason Fleetwood-Boldt
Oct 6, 2014, 10:57:04 AM10/6/14
to rubyonra...@googlegroups.com
What does the controller look like?
Try googling for "devise with cancan"
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/a2aa649ac285cd6d2bac5cd2c9dfe0f8%40ruby-forum.com.
> For more options, visit https://groups.google.com/d/optout.
>
----
Jason Fleetwood-Boldt
te...@datatravels.com
http://www.jasonfleetwoodboldt.com/writing
All material © Jason Fleetwood-Boldt 2014. Public conversations may be turned into blog posts (original poster information will be made anonymous). Email ja...@datatravels.com with questions/concerns about this.
Try googling for "devise with cancan"
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/a2aa649ac285cd6d2bac5cd2c9dfe0f8%40ruby-forum.com.
> For more options, visit https://groups.google.com/d/optout.
>
----
Jason Fleetwood-Boldt
te...@datatravels.com
http://www.jasonfleetwoodboldt.com/writing
All material © Jason Fleetwood-Boldt 2014. Public conversations may be turned into blog posts (original poster information will be made anonymous). Email ja...@datatravels.com with questions/concerns about this.
Mohammed Rashid
Oct 6, 2014, 1:02:49 PM10/6/14
to rubyonra...@googlegroups.com
class RotaController < ApplicationController
before_filter :authenticate_user!, except: ( :Welcome)
before_action :set_rotum, only: [:show, :edit, :update, :destroy]
# GET /rota
# GET /rota.json
def index
@rota = Rotum.all
@is_admin = current_user.try(:admin?)
end
# GET /rota/1
# GET /rota/1.json
def show
end
# GET /rota/new
def new
@rotum = Rotum.new
end
# GET /rota/1/edit
def edit
end
# POST /rota
# POST /rota.json
def create
@rotum = Rotum.new(rotum_params)
respond_to do |format|
if @rotum.save
format.html { redirect_to @rotum, notice: 'Rotum was
successfully created.' }
format.json { render :show, status: :created, location: @rotum }
else
format.html { render :new }
format.json { render json: @rotum.errors, status:
:unprocessable_entity }
end
end
end
# PATCH/PUT /rota/1
# PATCH/PUT /rota/1.json
def update
respond_to do |format|
if @rotum.update(rotum_params)
format.html { redirect_to @rotum, notice: 'Rotum was
successfully updated.' }
format.json { render :show, status: :ok, location: @rotum }
else
format.html { render :edit }
format.json { render json: @rotum.errors, status:
:unprocessable_entity }
end
end
end
# DELETE /rota/1
# DELETE /rota/1.json
def destroy
@rotum.destroy
respond_to do |format|
format.html { redirect_to rota_url, notice: 'Rotum was
successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between
actions.
def set_rotum
@rotum = Rotum.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the
white list through.
def rotum_params
params.require(:rotum).permit(:name, :mobile, :email, :category,
:other)
end
end
before_filter :authenticate_user!, except: ( :Welcome)
before_action :set_rotum, only: [:show, :edit, :update, :destroy]
# GET /rota
# GET /rota.json
def index
@rota = Rotum.all
@is_admin = current_user.try(:admin?)
end
# GET /rota/1
# GET /rota/1.json
def show
end
# GET /rota/new
def new
@rotum = Rotum.new
end
# GET /rota/1/edit
def edit
end
# POST /rota
# POST /rota.json
def create
@rotum = Rotum.new(rotum_params)
respond_to do |format|
if @rotum.save
format.html { redirect_to @rotum, notice: 'Rotum was
successfully created.' }
format.json { render :show, status: :created, location: @rotum }
else
format.html { render :new }
format.json { render json: @rotum.errors, status:
:unprocessable_entity }
end
end
end
# PATCH/PUT /rota/1
# PATCH/PUT /rota/1.json
def update
respond_to do |format|
if @rotum.update(rotum_params)
format.html { redirect_to @rotum, notice: 'Rotum was
successfully updated.' }
format.json { render :show, status: :ok, location: @rotum }
else
format.html { render :edit }
format.json { render json: @rotum.errors, status:
:unprocessable_entity }
end
end
end
# DELETE /rota/1
# DELETE /rota/1.json
def destroy
@rotum.destroy
respond_to do |format|
format.html { redirect_to rota_url, notice: 'Rotum was
successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between
actions.
def set_rotum
@rotum = Rotum.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the
white list through.
def rotum_params
params.require(:rotum).permit(:name, :mobile, :email, :category,
:other)
end
end
Mohammed Rashid
Oct 6, 2014, 1:04:15 PM10/6/14
to rubyonra...@googlegroups.com
Jason Fb wrote in post #1159167:
> What does the controller look like?
Mohammed Rashid
Oct 6, 2014, 1:04:38 PM10/6/14
to rubyonra...@googlegroups.com
I will take a look at it, thanks for the advice
Jason Fleetwood-Boldt
Oct 6, 2014, 1:15:05 PM10/6/14
to rubyonra...@googlegroups.com
The before_action :set_rotum is where you want to put the access control.
Despite what I said earlier, you don't actually need cancan, but as an alternative to this implementation you can use something like cancan for access control.
In your example, you would do something like this (obviously this example assumes you have the rotem object belonging to the user object)
def set_rotem
@rotem = current_user.rotems.find(params[:id])
if @rotem.nil?
render :html => "Not authorized", :status => 401
end
end
or something like this:
def set_rotem
@rotem = Rotem.find(params[:id])
if @rotem.user != current_user
render :html => "Not authorized", :status => 401
end
end
-Jason
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/7457774d8710957cef70c7fcfa5040fd%40ruby-forum.com.
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
Mohammed Rashid
Oct 8, 2014, 12:52:24 PM10/8/14
to rubyonra...@googlegroups.com
I am using rails-devise-pundit, It works perfect. However, I tried to
include this code in my controller, but it shows me
undefined method `set_rotum' for #<RotaController:0x000000050413e8>
I'm trying to fix this as we speak, However if you have any suggestions.
Please try and help. Thanks.
Rashid
include this code in my controller, but it shows me
undefined method `set_rotum' for #<RotaController:0x000000050413e8>
I'm trying to fix this as we speak, However if you have any suggestions.
Please try and help. Thanks.
Rashid
Reply all
Reply to author
Forward
0 new messages