I have got two methods in application_controller.rb
def force_ssl
if !request.ssl?
redirect_to :protocol => 'https'
end
end
def no_ssl
if request.ssl?
redirect_to :protocol => "http"
end
end
also I have done before_filter :no_ssl in application.rb
Now I am trying to call force_ssl method in sessions controller of devise to secure login through SSL
In sessions_controller.rb file I have done skip_before_filter :no_ssl and before_filter :force_ssl
I am not able to login when I use this, however if I do not do before_filter :no_ssl in application_controller.rb it works fine.
Since I have got lot of controller I was trying to put before_filter :no_ssl in application.rb so that I do not have to call before_filter :no_ssl in all the controllers as it will not be DRY.
I have tried almost all the available resources and dont know why this is not working.
P.S :- This is working for my other controllers except for the devise controller
Any suggestions??
Thanks,
You can use Bartt-SSL_Requirement, it works well in Rails 3.1, that way you don't need the before_filter and skip_before_filter. In BarttSSLRequirement you can use the "ssl_exceptions" for your before_filter needs.
SSL sometimes gives problems in Development, push it to staging and it should work.
Related
I've integrated dotPay to my Spree site for payments. The user after choosing this option is redirected from my site to dotPay's. He pays what is needed there and then he can click a button which will return him to my site. And here lays the problem. When he returns he is no longer logged in and I need him to be.
A bit strange thing (to me maybe) he is being redirected via POST request - can't change that. With that I also get a warning Can't verify CSRF token authenticity not sure if that might have anything to do with it.
Any suggestion are very much welcome.
P.S. I'm using Spree 1-3-stable, Rails 3.2.13, Devise 2.2.3, Ruby 1.9.3
For specific actions, you can disable CSRF checking by adding a line like this to the controller:
protect_from_forgery :except => [:callback_from_dotpay]
conversely, you can specify which actions to protect, like this:
protect_from_forgery :only => [:create, :update, :delete]
Alternatively, to turn it off completely for an entire controller, you can do this (Rails 2, 3):
skip_before_filter :verify_authenticity_token
If you decide to jump on the bleeding edge, Rails 4 wants you to do it this way:
skip_before_action :verify_authenticity_token
Well, in the end I've ended up with removing the CSRF verification. I'm not 100% sure, but I can't send my authenticity_token to dotPay (well, I can, but they won't return it). However, they are generating a md5, which I can check and also I'm checking the IP address where it's coming from.
I have an application with Devise (2.2.3) and Active Admin (0.5.1) I installed Devise first, and then Active Admin afterwards. The entire app needs to sit behind a login, so in my application controller I have the following:
before_filter :authenticate_user!
However, since installing Active Admin to the root namespace (config.default_namespace = false, in initializers/active_admin.rb), my application now won't let anyone login. It creates a redirect loop to the path /users/login.
I've tried alleviating this by adding a skip_before_filter in my config/application.rb file, but this hasn't worked
config.to_prepare do
Devise::SessionsController.skip_before_filter :authenticate_user!
UsersController.skip_before_filter :authenticate_user!
end
and I also added the following to app/admin/user.rb
controller do
skip_before_filter :authenticate_user!
end
which also did nothing. Finally, I tried explicitly excluding the two controllers in my application_controller.rb, but this also did nothing.
before_filter :authenticate_user!, except: {controller: [:users, 'devise/sessions']}
How do I get around this rather annoying problem?
Solved the issue by changing my routes around. The ActiveAdmin routes need to come after the Devise routes, like so:
devise_for :users, ActiveAdmin::Devise.config
ActiveAdmin.routes(self)
Believe this occurred because I installed ActiveAdmin after I'd installed and configured Devise.
I'm using devise in my rails3 project. I need to redirect user to different page once logged-in. Without overriding sessions controller how can I do this?
Question looks like a duplicate of https://stackoverflow.com/a/12854498/790737
Try putting this in you ApplicationController:
def after_sign_in_path_for(resource)
different_page_path # this should be a path helper
end
I assume you know how to use path and url helpers, and that you can use
rake routes
to list them. Good luck.
I am using activeadmin gem which is going fine, now i want to add its authentication to some external pages or as MVC you say to some action. don't mix it with the actions which can be added from admin/users.rd files. these are those action that reside out side of activeadmin.
To use a Devise (which Active Admin uses for authentication) for a page in the same app but not an actual Active Admin page I did the following:
in my routes.rb I added a new route:
devise_scope :admin_user do
resources :products
end
then in my products_controller.rb i added a before_filter to restrict access:
class ProductsController < ApplicationController
before_filter :authenticate_admin_user!
Hope that helps!
My routes
devise_for :users
devise_for :admin_users, ActiveAdmin::Devise.config #I have also tried removing this for any conflicts
resources :users
The sign out link. Routes to /users/sign_out just fine
<%= link_to "Logout", destroy_user_session_path, :method => :delete %>
Trying to sign out, gives me the error:
Couldn't find User with id=sign_out
If I then remove the resource :users, I get:
The action 'sign_out' could not be found for UsersController
What's wrong? The exact same code worked with Rails 2.3.8 and the corresponding Devise version
Logging in etc. works fine.
My setup is:
Ruby 1.9.2
Rails 3.1.1.rc3
Devise 1.4.8
First of all, using the same path for UsersController and Devise isn't a great idea. I would suggest using a path like '/accounts' for Devise.
But this probably isn't the cause of your sign out problem, as devise_for :users comes before resources :users in routes.rb. What seems to be the cause is, unless there'a typo in the question, that there's no comma after destroy_user_session_path. :method => :delete will be interpreted as a parameter to destroy_user_session_path unless there's a comma.
Also, make sure you're including jquery and jquery_ujs in application.js, as these are required for :method => :delete to work.