Scenario addressed: A visitor cannot sign in without a generic code to control user access during initial test of a website (Rails 5.1.6 with devise 4.4.3)
This is achieved by setting the controller as follows:
class ApplicationController < ActionController::Base
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:fullname, :invitation])
devise_parameter_sanitizer.permit(:account_update, keys: [:fullname, :phone_number, :description])
end
end
and then I have adjusted the user model with:
class User < ApplicationRecord
attr_accessor :invitation
validates :validate_invitation, presence: true, :on => :create
def validate_invitation
if self.invitation != "123"
self.errors[:base] << "Enter a valid invitation code"
end
end
When I proceed to the sign with a new user, it fails. The console returns the following:
Parameters: {... "user"=>{"fullname"=>"Jone", "invitation"=>"123",...}, "commit"=>"Sign up"}
However the sign in is not validated because: "Invitation can't be blank"
I can't see the mistake.
Add to the user class the following validation below "attr_accessor :invitation": validates :invitation, on: :create, presence: true, inclusion: { in: ["123"]}
and eliminate the def validate_invitation entirely.
Related
i am new to rails and i want to give permissions to users for particular task involved in my project on different modules.
i have two models "user" and "project"... in "user.rb" has_many : projects
and in "project.rb" belongs_to :user. and i have one more model which combine both models named "user_project.rb" in this model have proj_id an user_id stored.
i want to give permission and after that also check for the permission to current user for creating messages and tasks according to permissions assign to them.
where can i define permissions and how it works for me in view as well....
If you created user_project.rb only for storing these ids - remove it.
This look like you need to write before_filter in your controllers
class ProjectsController << ApplicationController
before_filter :current_user_required, only: [ :edit, :update ]
#there def of actions
private
def current_user_required
unless current_user == #project.user
flash[:error] = 'error 403'
redirect_to :back
end
end
And when you find #project, for edit and update actions, you can do it like:
#project = current_user.projects.find(params[:project_id]) #need to change :project_id
If you want to create model Message(belongs_to :project and Project has_name: messages) and give access for creation and edit it only for project.user you can do it using before_filter or validation in model
class Message << ActiveRecord::Base
validate :author_is_project_user, on: :create
private
def author_is_project_user
errors.add :base, 'author not is project user' unless self.author == self.project.user
end
end
According to this you can define permission for another things
And if you want to get permission for another user you have_to create model which belongs_ to :user and :project and check in before_filter present of it.
sort of this:
class Permission << ActiveRecord::Base
belongs_to :user
belongs_to :project
scope :about, -> project { where project_id: project }
scope :of_user, -> user { where project_id: project }
end
and in User model define method like
def access_to_project? project
Permission.about(project).of_user(self).first.present?
end
or you can add variable to this model and make more complicated logic of access
I am using cancan to authorize my controller actions. One of classes where access is authorized by cancan is a tree, implemented with acts_as_ancestry. I'm having problems using load_and_authorize_resource when the user is not permitted to access the root level, but rather is allowed access starting at an interior node.
Here are some relavant class definitions:
class User < ActiveRecord::Base
belongs_to :organization, :inverse_of => :users
end
class Post < ActiveRecord::Base
belongs_to :organization, :inverse_of => :posts
end
class Organization < ActiveRecord::Base
has_ancestry :cache_depth => true
has_many :users, :inverse_of => :organization
has_many :posts, :inverse_of => :organization
end
The rules for managing posts are "You can manage posts in any organization below yours". My cancan abilities definition is this:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new
# subtree_ids is added by acts_as_ancestry
can :manage, Post, {:organization_id => user.organization.subtree_ids}
end
end
In the controller, I have this (other actions omitted)
class PostsController < ApplicationController
load_and_authorize_resource :post
def index
end
def new
end
end
Everything works fine when the authorized user belongs to the root organization. However, when I login as a user authorized at an internal node, the index action works fine, but when the new action is invoked, I get a can-can authorization error.
Here is what I see in the log:
Access denied on new #<Post id: nil, organization_id: 1>
The organization_id 1 (the root) is coming from the schema:
create_table "posts", :force => true do |t|
t.integer "organization_id", :default => 1
end
With cancan, the new action will build a new Post and assign it to #post. When it does this, it will initialize all the attributes with values taken from the can definition in Abilities.rb. However, it will not do anything if those attributes are Arrays, Hashes or Ranges and the default value ends up coming from the schema.
How can I authorize users to manage posts in their subtree, but when they create a new post, default it to their organization?
In cancan, if the #post variable is already initialized by you, it will not call load_resource on it, only do the authorize part. See this part of the docs: https://github.com/ryanb/cancan/wiki/Authorizing-controller-actions, "Override loading".
So the simplest solution is to take control of the initialization yourself and make it what you need, like here:
class PostsController < ApplicationController
before_filter :initialize_post, :only => [:new, :create]
def initialize_post
#post = current_user.organization.posts.build(params[:post]||{:name=>'Smashing Kittens'})
end
load_and_authorize_resource :post
def index
end
def new
end
def create
end
end
You can see it working in this test project that I created from your post: https://github.com/robmathews/cancan_test.
I had a similar issue and ended up writing ancestry related permissions in blocks like so:
can :manage, Post do |post|
post.organization.subtree_ids.include?(user.organization_id)
end
I was trying to follow the railscasts tutorial that explains how to handle mass-assignment errors and attr_accessible for admins, but since that was a little outdated, I'm trying to follow what's in the rails API dock for 3.2.6 here.
All I want to do is allow the admin user the ability to access the "winning" attribute for the Proposal Model on the Update action.
Here's my Proposal Model showing the current attr_accessible.
class Proposal < ActiveRecord::Base
attr_accessible :email, :email_confirmation, :link, :name, :references, :short_description
belongs_to :idea
Here's my code for the Proposal Controller's Update action.
class ProposalsController < ApplicationController
include ActiveModel::MassAssignmentSecurity
attr_accessible :email, :email_confirmation, :link, :name, :references, :short_description
attr_accessible :email, :email_confirmation, :link, :name, :references, :short_description, :winning, :as => :admin
def update
#idea = Idea.find(params[:idea_id])
#proposal = #idea.proposals.find(params[:id])
if #proposal.update_attributes(proposal_params)
redirect_to idea_proposals_url(#idea)
else
render 'edit'
end
end
protected
def proposal_params
role = current_user.admin ? :admin : :default
sanitize_for_mass_assignment(params[:proposal], role)
end
Check out this Railscast. I had a similar issue with an Admin field Boolean and didn't want any user to circumvent the security by sending a curl post. If the user is an admin then it gave them the ability to access the field, otherwise Mass Assignment would protect the field from being modified.
http://railscasts.com/episodes/237-dynamic-attr-accessible?view=asciicast
I've setup Omniauth Facebook authentication according to this tutorial: http://net.tutsplus.com/tutorials/ruby/how-to-use-omniauth-to-authenticate-your-users/
And now I'm trying to combine it with omniauth-identity using the same User model instead of a separate Identity model as in this tutorial: http://railscasts.com/episodes/304-omniauth-identity?view=asciicast , but I cannot get it to work properly.
This is is my initializers/omniauth.rb file:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :facebook, 'xxxxx', 'xxxxx'
provider :identity, :fields => [:email], :model => User
end
I've added 'password_digest' column that is needed by omniauth-identity to my User model/table and changed the User model code
from
class User < ActiveRecord::Base
has_many :authorizations
#validates :name, :email, :presence => true
def add_provider(auth_hash)
# check if the provider already exists, so we don't add it twice
unless authorizations.find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"])
Authorization.create :user => self, :provider => auth_hash["provider"], :uid => auth_hash["uid"], :token => auth_hash["token"]
end
end
end
to
class User < OmniAuth::Identity::Models::ActiveRecord
...
end
but when I do that the code in the Authorization model that creates the User and the Authorization models does not work properly
When the User model extends from ActiveRecord::Base the records are created just fine but when I extend the user model from OmniAuth::Identity::Models::ActiveRecord the user model is not stored in the database when you create a new authorization.
This is the Authorization model code:
class Authorization < ActiveRecord::Base
belongs_to :user
validates :provider, :uid, :presence => true
def self.find_or_create(auth_hash)
unless auth = find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"])
user = User.create :name => auth_hash["info"]["name"], :email => auth_hash["info"]["email"]
auth = create :user => user, :provider => auth_hash["provider"], :uid => auth_hash["uid"], :token => auth_hash["credentials"]["token"]
end
auth
end
end
When I extend the User model from ActiveRecord::Base and try to create a new registration with Identity I get this error:
ActiveRecord::UnknownAttributeError
unknown attribute: password
Is there any way to get this working this way? I don't know what to do now.
not sure you're still having the problem, but maybe someone on the interwebz will.
I just posted a solution on by blog, should solve your problems:
http://bernardi.me/2012/09/using-multiple-omniauth-providers-with-omniauth-identity-on-the-main-user-model/
try to add attr_accessor :password and may be attr_accessor :email
I'm trying to layout a Rails app using Devise for authentication. I'd like to have an initial landing page where people could enter then email address. I'd like to create an account as soon as I get the email address and then let the user finalize the authentication process later. Is there some documentation that would would show how to do this?
Thanks!
I ended up solving this by using the "devise_invitable" gem. The only thing that I had to extend to get this working was to make sure that a user didn't need to be authenticated to send an invitation. Over-ride the invitations contoller and it's working great:
class InvitationsController < Devise::InvitationsController
include Devise::Controllers::InternalHelpers
skip_filter :authenticate_inviter!
skip_filter :authenticate!
def current_inviter
#current_inviter ||= User.new(params[:user])
end
end
I'm not sure if there is good documentation for how to do this, but it would not be hard. Just don't require authentication on your landing page, or on the post from the login form on that page. Collect an email address in the login form. Send the user a mail to the address they log in with. In the email, include the 'forgot password' link (renamed to 'click here to sign in' ... or whatever) to force the user to login and choose a password. Does that work for you, or did i miss something?
I realize this is late, but this might be helpful to others. I had a similar requirement as you. Basically, I wanted to have a user enter an email address, and persist the user as a guest. Once the user is promoted to a 'regular' user, I re-enable password authentication. First, I created a warden strategy based on the devise-gullible gem. I made a modification to the authenticate method:
class Guest < Authenticatable
def authenticate!
resource = mapping.to.find_for_database_authentication(authentication_hash)
if resource
if resource.respond_to?(:guest?) and resource.guest?
success!(resource)
else
fail(:regular_user)
end
else
fail(:invalid)
end
end
end
I define a guest user in my user model as follows:
def guest?
self.roles.length == 0
end
I'm using CanCan with devise and a HABTM to handle the roles. Currently, I have a 'regular' user and an 'admin' user. A user is a guest if he has no assigned roles yet.
Then, you need to override the devise registrations controller:
class Users::RegistrationsController < Devise::RegistrationsController
prepend_before_filter :allow_params_authentication!, :only => :create
def create
resource = warden.authenticate(:guest,
{ scope: resource_name,
recall: "#{controller_path}#new" })
if resource
set_flash_message(:notice, :signed_in) if is_navigational_format?
sign_in(resource_name, resource)
respond_with resource, :location => after_sign_in_path_for(resource)
elsif warden.winning_strategy.message == :regular_user
set_flash_message :notice, :regular_user if is_navigational_format?
redirect_to new_session_path(resource_name)
else
super
end
end
end
Note that the idea is that we attempt to authenticate a user running the guest strategy only. If he is already registered as a guest, just sign him in normally. If the guest strategy fails because he is registered, but is now a regular user, redirect to the normal sign in page.
Now it is possible to persist some limited information I may wish to collect from a guest, and not require him to have to do a full sign up. I use a normal User model:
class User < ActiveRecord::Base
devise :database_authenticatable, :registerable, :confirmable,
:recoverable, :rememberable, :trackable, :omniauthable,
:token_authenticatable
# Setup accessible (or protected) attributes for your model
attr_accessible :email, :password, :password_confirmation, :remember_me
has_and_belongs_to_many :roles
def self.new_with_session(params, session)
super.tap do |user|
if user.password.blank?
user.password = Devise.friendly_token[0,31]
# Also, we don't need to do email confirmation in this case.
# The user will have the guest role, and we'll do a confirmation
# when we promote him to a 'regular' user.
user.skip_confirmation!
end
end
end
def has_role?(role)
!!self.roles.find_by_name(role.to_s.camelize)
end
end
Note that I auto-generate a password in build_with_session. You can send a auth token at the time of your choosing, and then require the user to set a new password at that time. You'll also want to then change his role so that he becomes a regular user (or do whatever it is you want to note he is no longer a guest).
Here's my partial that appears on the front page:
<%= simple_form_for(resource,
as: resource_name,
url: user_registration_path,
defaults: { required: false },
html: { class: 'well' },
wrapper: :bootstrap,
validate: true) do |f| %>
<%= f.error_notification %>
<fieldset>
<legend>New here? Let's get started!</legend>
<%= f.input :email, placeholder: 'user#example.com', validate: { uniqueness: false } %>
<%= f.button :submit, "Get my quote!", class: 'btn-primary' %>
</fieldset>
<% end %>
So, this form functions as both a guest registration and login form. The only think I don't really care for so far is the the registrations controller is handling an authentication, but I didn't see an immediate way around this.
I implemented this strategy in my local lib directory. Be sure to set your load path appropriately, and add require 'devise_guest' to config/initializers/devise.rb.