Is it possible to disable the /users routing?
I don't want anyone to access /users
Tried several ways like:
resources :users, :skip => [:users] do
resources :profiles
resources :account
end
The Users model is my devised one for storing the users login details.
So you don't want /users/ but the others routes /users/:id/, /users/:id/profiles, etc to still be here ? If I'm right, then you don't want the index action. So you do resources :users, :except => [:index] do ...
Related
I'm relatively new to ruby on rails, and so I am now very confused how to setup a user management system for admins.
Besides, users should be able to register themselfs (Devise Registerable).
I have a User controller, using devise_for :users and resources :users .
I can sign_up users, since I used the :registerable, flag in my Users model.
What I want to do now is to add the ability for admins to create users.
If I used the described system, I always get the message 'You are already signed in' when creating a new user through /users/new as admin. This is a message from devise.
So I followed the tutorial www.tonyamoyal.com/2010/07/28/rails-authentication-with-devise-and-cancan-customizing-devise-controllers/ to use cancan to restrict some actions and created a own devise registrations controller like described there.
My cancan ability model looks like this:
if user.has_role?(:admin)
#admin
can :manage, :all
elsif !(user.new_record?)
#logged in but no admin
...
else
# Guest
can :create, User
end
and my registrations controller like in the tutorial
class RegistrationsController < Devise::RegistrationsController
before_filter :check_permissions, :only => [:new, :create, :cancel]
skip_before_filter :require_no_authentication
def check_permissions
authorize! :create, resource
end
end
I also added the controller to the routes.rb
With this I can create new users with the admin, but if I want to sign_up as not logged in user ("#Guest") I get always the message cancan exception "Access denied". And if I call exception.subject in the CanCan exception handling it is empty.
Can it be, that 'resource' from my controller is not initialized? How can I get the expected behaviour?
Thanks a lot for your help ;-)
Mhm, I figured out, that resource seems to be a method of the devise-controller.
No idea, why it is not called, or is not returning an object
My solution was now (since I can only register users) to change
def check_permissions
authorize! :create, resource
end
to
def check_permissions
authorize! :create, User #could also be User.new
end
And with this it works. But I'm not sure, if it is the best solution ;-)
Hi I have a NOOB question in light of what happend at GITHUB with their application being exploited because of the security hole in Rails.
What is the best way to protect object attributes in Rails but still allow them to be assigned values where applicable?
Thanks
Actually Rails 3.1 has added new built-in ways to handle mass-assignment with roles which is probably something that you want to take a look at.
Release notes here
Basically it works like this:
class User < ActiveRecord::Base
attr_accessible :name
attr_accessible :name, :role, :as => :admin
end
What this enables you to do is that you can use the following way to allow the user to update his own information in one of your controllers:
#user.update_attributes(params[:user])
And that usage can never update the :role attribute in the User model. But when you have your admin users managing the roles in a separate controller, then you can user the following syntax:
#user.update_attributes(params[:user], :as => :admin)
And that will allow the :role attribute to be updated as well
I have a little app with Rails and Devise, and until now we were registering new users by Rails console. Now I have been asked to give a view for admin only, where they can signup, delete and view other Users.
My question is, which is the best way to go from here with Devise to accomplish this? I have checked similar questions here, on Devise wiki and other sites, and the conclusion I take from them is to have my own User controller.
What I need basically is a index view to list all users with a link on each one of them for editing and destroy and a new view for signup users. How much code from devise controllers I will new to override?
Also, my user model has the devise module: :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :timeoutable.
Thank you in advance.
From what it sounds like ... you just want have a client side for devise, (the user needs to register, login, etc. because they cant use the console). What I think your asking for, i think you should follow this tutorial to set up devise https://github.com/fortuity/rails3-subdomain-devise/wiki/Tutorial-%28Walkthrough%29 , (i followed this up to Set Up Subdomains, because that is what was important for me in my rails app). It should set up the functionality you are talking about. After you do this, if you find sign out throws an error, change
devise_for :users
in your routes, to
devise_for :users do
get "/users/sign_out" => "devise/sessions#destroy", :as => :destroy_user_session
end
If this wasn't what you were looking for, go into a little more detail
I'm a Rails noob and am hoping someone can help me wrap my head around this issue. I have an app that has a single User model using Authlogic for authentication and CanCan for authorization. There are three roles: Consumer, Business, and Admin. A user can have any number of these roles.
Businesses have additional attributes, however, and I need to model this such that I can add roles that each have potentially different attributes. Instinct tells me that I need to have a separate model to represent each role's attributes, i.e. BusinessRoleProfile, ConsumerRoleProfile, etc and then maybe mixin a module programmatically that adds the appropriate has_one reference(s) to the profile model(s).
Is this the best way to handle the separate attributes? If so, can someone guide me through how to dynamically include those mixins based on what role the user has?
EDIT:
Did some more research, this may help you. https://github.com/thefrontiergroup/scoped_attr_accessible
Looks like you can do things like:
class User < ActiveRecord::Base
# All attributes are accessible for the admin scope.
attr_accessible :all, :scope => :admin
# The default scope can only access a and b.
attr_accessible :a, :b
# Make both :c and :d accessible for owners and the default scope
attr_accessible :c, :d, :scope => [:owner, :default]
# Also, it works the same with attr_protected!
attr_protected :n, :scope => :default
end
OLD ANSWER
Looks like it may be featured in CanCan 2.0.
https://github.com/ryanb/cancan/issues/326
I have set up a blog with secure log-in using the Devise plugin and its working well. I'm going to add an additional 'username' field at sign-up and article posts will then display this info. How do I achieve this so the username goes into the db - any code help would be appreciated?
User names will need to be unique but I will look into this later.
As the Devise wiki sez:
Create a migration
rails generate migration add_username_to_users username:string
Run the migration
rake db:migrate
Modify the User model and add username to attr_accessible
attr_accessible :username
more info here
For uniqueness you could just do a validation on the User model
Hope this helps!
Okay so you have 2 questions in the same topic.
The first one has been answered and you followed these steps: Add custom fields to devise
Then for your next question: the problem isn't the user but #article because this variable is nil. So Rails can't find the User related to something that is nil.
You should post your controller and your _article view so I can help further.
Also I don't understand what you meant by :
I changed the object from 'email' to 'username' to stop it showing the submitters email address in the article
..You can choose whatever you want to display without replacing anything. If you want to display the user's username, just do user.username
add belongs_to :user in your article.rb and has_many :articles to your user.rb
update your migration of article to include a user_id:integer field (or use t.references :user)
update your ArticlesController#create action to use current_user.create_article or build_article
be sure to invoke the authenticate_user! before_filter for the :create action
before_filter :authenticate_user!, only => :only => [:new, :create, :edit, :update, :destroy]
ref:
http://guides.rubyonrails.org/association_basics.html