I've just finished setting up Devise on a single application, using a single User model with two scopes, so I can have an /admin/login as well as a regular /users/login path. This works pretty well, my config/routes.rb file looks like this:
devise_for :users,
:path_names => { :sign_in => 'login', :sign_out => 'logout' }
devise_for :admins,
:class_name => 'User',
:skip => [:passwords, :registrations, :confirmations, :sessions],
:controllers => { :sessions => 'admin/sessions' } do
get 'admin/login' => 'admin/sessions#new', :as => :new_admin_session
post 'admin/login' => 'admin/sessions#create', :as => :admin_session
delete 'admin/logout' => 'admin/sessions#destroy', :as => :destroy_admin_session
end
This works pretty fine and dandy, I can log in to each side of the application without affecting the other. That is, the session names are separate and logging into one does not log you into the other.
Now, I've set up CanCan with my Roles model, and an Ability model, and have these defined in my database and working.
Question is, I want to be able to fill out the form on admin/login, and receive an error message because my Role doesn't allow me to log into that area. How can I accomplish this?
I am a bit confused by your question. If you are filling out the form on admin/login, then presumably you have not logged in yet?
If that's the case, then there is no current_user or current_admin and therefore nothing is passed to CanCan yet.
I have a similar set-up in my app and maintain different accounts on each side of the app. My user account is different than my admin account. If I forget and try to login to the admin side using my regular user account, I simply receive an unknown user/password error from Devise.
Related
After customising Devise routes, I have some issues with the routing.
Currently setup (but failing):
/me/account loads Devise::Registration#edit form
/me/account/:what routes to account_controller#edit
My routes (shortcut):
devise_for :users do
...
end
devise_scope :user do
scope "/me/account" do
get "/" => "users/registrations#edit", :as => :my_account
get "/:what" => "accounts#edit", :as => :my_account_edit
end
end
resources :accounts, :only => [:edit, :update]
Rake routes output:
activate_account GET /reactivate(.:format) users#reactivate
my_account GET /me/account(.:format) users/registrations#edit
my_account_edit GET /me/account/:what(.:format) accounts#edit
cancel GET /me/account/cancel(.:format) users/registrations#cancel
DELETE /me/account(.:format) users/registrations#destroy
edit_account GET /accounts/:id/edit(.:format) accounts#edit
account PATCH /accounts/:id(.:format) accounts#update
PUT /accounts/:id(.:format) accounts#update
Account
Since /me/account is actually showing registrations#edit ( Devise ) and all the /me/account/helpme are custom form fields
This has issues:
No notices shown on /me/account on update or failure
On failure the form is not repopulated with earlier filled in form values
Its not updating the form
/me/account/helpme goes , on form submit , to /accounts/1 ( the current user id ) and throws error
No route matches {:action=>"edit", :controller=>"accounts", :id=>"1", :what=>nil} missing required keys: [:what]
These issues are totally driving me insane. Anyone can provide me some suggestions to fix (one or more ) of these routing issues?
About form submit error.
You need to override url in your form to submit to:
<%= form_for #resource, url: my_account_edit(what: params[:what]) do |f| %>
This should be done in your views or in devise-generated views.
If you didn't generated devise views, then, just run in terminal:
rails g devise:views
EDIT
And you should tell us how your form in views looks like, and how controller handles updates of custom fields.
I have gone through and looked at a bunch of screen casts (http://railscasts.com/episodes/270-authentication-in-rails-3-1) and tutorials (http://ruby.railstutorial.org/chapters/modeling-and-viewing-users-two?version=2.3#sec:secure_passwords) but I can't seem to find or apply what I am learning to create a single view password protected.
As of now I am generating a random password and showing it to the user to go back and view a file they have uploaded (generated using SecureRandom.hex). However, I know that using http_basic doesn't seem to work when I restrict it only to the show view and method in my controller : http_basic_authenticate_with :password => :passcode, :only => :show
I know that line of code does not work because :passcode does not reference the individual files password that was created.
Also, I know that http_basic_authenticate_with is not the way it should be done for secure passwords, so how would you go about this using has_secure_password etc?
You can try to encapsulate the http_basic_authenticate_with :password => :passcode in a method in your controller, and call the before_filter to call that method.
Something like that:
before_filter :restrict, :only => :show
def show
end
def restrict
http_basic_authenticate_with :password => :passcode
end
I am using Devise in my site I create admin namespace and giving functionality of create user by admin.
my routes are as under
devise_for :users,:has_many => :comments, :controllers => {:sessions =>'devise/sessions',:registrations => 'devise/registrations'} do
get "/login", :to => "devise/sessions#new", :as => :login
get "/signup", :to => "devise/registrations#new", :as => :signup
get "/logout", :to => "devise/sessions#destroy", :as => :logout
end
when i click on add_user link which has signup_path causing following error:
My Error
Started GET "/signup" for 127.0.0.1 at Fri Mar 09 12:49:11 +0530 2012
Processing by Devise::RegistrationsController#new as HTML
User Load (0.1ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 35 LIMIT 1
Redirected to http://localhost:3000/admin
Filter chain halted as :require_no_authentication rendered or redirected
Completed 302 Found in 3ms (ActiveRecord: 0.1ms)
I think it going to the devise registration controller but due to following line it cause an error in devise registration controller
prepend_before_filter :require_no_authentication, :only => [ :new, :create, :cancel ]
The mentioned line on Devise's Controller makes sense in general cases: a logged in user can't sign up. As you're on a case where only an admin can create a user, I would suggest that you don't use Devise's controller on Registerable module and write your own controller with your own rules. You can write it based on Devise's controller changing only the mentioned line.
If you want to use it, try skipping the before_filter with skip_before_filter. I don't think it is the best solution. and I would write my own controller.
I was receiving the following error in my development log.
Filter chain halted as :require_no_authentication
An endless loop was created because devise's after_sign_in_path_for in application_controller.rb was redirecting back to the previous page with
stored_location_for(resource)
Devise's gem signs in the user when the password is edited.
Like you, I wanted an Admin user to be able to add new users. But I didn't want to mess with the Devise Registerable, since I actually wanted users to still be able to register themselves. I have some admin users with permission to add a new user, so I created additional methods in my users controller and additional views to handle that case.
My additional methods are not referenced by Devise's prepend_before_filter :require_no_authentication, so they don't get the error.
My recipe:
In app/controllers/users_controller.rb (or whatever object you are using devise for):
Copy the new, create and update methods and rename the copies to admin_new, admin_create, and admin_update.
In app/views/users, copy new.html.erb to admin_new.html.erb Change the partial to refer to admin_form instead of form:
<%= render 'admin_form' %>
Then copy the partial _form.html.erb to _admin_form.html.erb. In _admin_form.html.erb, change the form_for to use a different URL:
form_for(#user, :url => '/users/admin_create')
Add routes in config/routes.rb to point to the alternate methods in the user controller:
devise_scope :user do
...
get 'users/admin_new' => 'users#admin_new'
post 'users/admin_create' => 'users#admin_create'
end
Now you can add users while you are logged in by going to /users/admin_new, and users are still able to create their own user (register) using the devise mechanism that you have not disturbed.
I got an even simpler solution:
prepend_before_filter :require_no_authentication, only: [:cancel ]
By removing :new, :create from the prepend_before_filter it overrides devise source code and solve the problem. I had the same issue and it solved my problem.
I also noticed in my application that when I create a user and log in as that user, the above messages are displayed by the rails server console and I am redirected to rails localhost default window 'Yay, You are on Rails'.
This is because no page is defined to take the logged-in user. When I defined a welcome page 'index.html.erb' in a folder, say, 'welcome' under 'views' folder, the login was successful and it worked. You can try this.
having trouble with testing devise sign up on Cucumber. After "Sign Up" click
it shows
uninitialized constant User::ArticlesController (ActionController::RoutingError)
I suppose that's because right after Sign up, devise redirects logged user to Articles page and but it's not under namespace User. Because I test user it put everything under this namespace.
This Devise howto says you can route to something not under the User namespace by naming a user_route path:
match 'my/dashboard' => 'my/dashboard#index', :as => 'user_root'
So it sounds like you can do something like:
match 'articles' => 'articles#index', :as => 'user_root'
I've followed the instructions here:
http://github.com/plataformatec/devise/wiki/How-to-edit-user-form-without-current-password
But it seems to ignore that and still validate and require current password.
In fact, I can do whatever I want to app/controllers/registrations_controller.rb including putting tonnes of syntax errors in, and it still asks for the current password to be present.
What am I missing?
Hard to quess, as you pasted no code, but it looks like you need to point devise to a different controller:
devise_for :user, :controllers => { :sessions => "..." }