Hi, I am still a total newbie to Ruby and Rails, but I was wondering: what is the accepted solution in Rails to to login authentication ? I.e., I want to build a simple site where users can register and login -- is there support for that ? I realize that Rails is just a framework, and not a full-scale CMS, but just in case... Also, more importantly, where would I go to learn stuff like that ? I found lots of Rails tutorials, and lots of low-level APIs, but the former are too simple, and the latter are too numerous.
On Tue, 22 Mar 2005 17:10:24 -0800, Stanislav Freidin <bugmaster-ihVZJaRskl1bRRN4PJnoQQ@public.gmane.org> wrote:> Hi, > > I am still a total newbie to Ruby and Rails, but I was wondering: what > is the accepted solution in Rails to to login authentication ? I.e., I > want to build a simple site where users can register and login -- is > there support for that ? I realize that Rails is just a framework, and > not a full-scale CMS, but just in case... > > Also, more importantly, where would I go to learn stuff like that ? I > found lots of Rails tutorials, and lots of low-level APIs, but the > former are too simple, and the latter are too numerous.Check here http://wiki.rubyonrails.com/rails/show/Howtos This will help you: http://wiki.rubyonrails.com/rails/show/HowtoAuthenticate I know the tutorials all look a little simple, but Rails IS simple. The Wiki has most of the things you''ll want to know on, for everything else there''s google ;) -- Phillip Hutchings http://www.sitharus.com/ sitharus-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org / sitharus-QrR4M9swfipWk0Htik3J/w@public.gmane.org
On Tue, 22 Mar 2005 17:10:24 -0800, Stanislav Freidin <bugmaster-ihVZJaRskl1bRRN4PJnoQQ@public.gmane.org> wrote:> Hi, > > I am still a total newbie to Ruby and Rails, but I was wondering: what > is the accepted solution in Rails to to login authentication ? I.e., I > want to build a simple site where users can register and login -- is > there support for that ? I realize that Rails is just a framework, and > not a full-scale CMS, but just in case... > > Also, more importantly, where would I go to learn stuff like that ? I > found lots of Rails tutorials, and lots of low-level APIs, but the > former are too simple, and the latter are too numerous.http://wiki.rubyonrails.com/rails/show/LoginGenerator
You can take a look at this. http://wiki.rubyonrails.com/rails/show/LoginGenerator On Tue, 2005-03-22 at 17:10 -0800, Stanislav Freidin wrote:> Hi, > > I am still a total newbie to Ruby and Rails, but I was wondering: what > is the accepted solution in Rails to to login authentication ? I.e., I > want to build a simple site where users can register and login -- is > there support for that ? I realize that Rails is just a framework, and > not a full-scale CMS, but just in case... > > Also, more importantly, where would I go to learn stuff like that ? I > found lots of Rails tutorials, and lots of low-level APIs, but the > former are too simple, and the latter are too numerous. > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails
Phillip Hutchings wrote:>This will help you: http://wiki.rubyonrails.com/rails/show/HowtoAuthenticate > >Thanks for the info. Unfortunately, here''s what I got: ----------------------------------- d:\dev>"i:\ruby\bin\ruby.exe" "i:\ruby\bin\gem" install --source http://dist.leetsoft.com login_generator Attempting local installation of ''login_generator'' Local gem file not found: login_generator*.gem Attempting remote installation of ''login_generator'' Updating Gem source index for: http://dist.leetsoft.com Successfully installed login_generator, version 1.0.0 Installing RDoc documentation for login_generator-1.0.0... WARNING: Generating RDoc on .gem that may not have RDoc. templates/controller.rb:8:29: Expected class name or ''<<''. Got RubyToken::TkLT: "<" templates/controller_test.rb:7:9: Expected class name or ''<<''. Got RubyToken::TkLT: "<" ERROR: While executing gem ... (Errno::EINVAL) Invalid argument - classes/<.html ----------------------------------- Any ideas on how to fix this ?
On Tue, 22 Mar 2005 17:22:40 -0800, Stanislav Freidin <bugmaster-ihVZJaRskl1bRRN4PJnoQQ@public.gmane.org> wrote:> Phillip Hutchings wrote: > > >This will help you: http://wiki.rubyonrails.com/rails/show/HowtoAuthenticate > > > > > Thanks for the info. Unfortunately, here''s what I got: > ----------------------------------- > d:\dev>"i:\ruby\bin\ruby.exe" "i:\ruby\bin\gem" install --source > http://dist.leetsoft.com login_generator > Attempting local installation of ''login_generator'' > Local gem file not found: login_generator*.gem > Attempting remote installation of ''login_generator'' > Updating Gem source index for: http://dist.leetsoft.com > Successfully installed login_generator, version 1.0.0 > Installing RDoc documentation for login_generator-1.0.0... > WARNING: Generating RDoc on .gem that may not have RDoc. > > templates/controller.rb:8:29: Expected class name or ''<<''. Got > RubyToken::TkLT: "<" > > templates/controller_test.rb:7:9: Expected class name or ''<<''. Got > RubyToken::TkLT: "<" > ERROR: While executing gem ... (Errno::EINVAL) > Invalid argument - classes/<.html > ----------------------------------- > Any ideas on how to fix this ? > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >If you look at the messages...> Successfully installed login_generator, version 1.0.0Looks like it got installed ok. Problem building the documentation though (for some reason), but you probably don''t need that installed on your local machine.
Joe Van Dyk wrote:> >If you look at the messages... > > > >>Successfully installed login_generator, version 1.0.0 >> >> > >Looks like it got installed ok. Problem building the documentation >though (for some reason), but you probably don''t need that installed >on your local machine. > > >Ah, thanks. Sorry, I am not yet familiar enough with Ruby, so I can''t easily tell which errors are safe to ignore.
Greetings, Ultimately, there are two issues with regards to authentication. First, you need to establish the identity of the person on the other end of the line, and second you need to restrict the set of actions they are permitted to perform. I''ve begun working on an authentication/permissions system for Rails which stores both authentication and permission information in the underlying database. Is there any interest? And if so, what might the best forum for presenting this be? Peter Spierenburg. -----Original Message----- From: Stanislav Freidin <bugmaster-ihVZJaRskl1bRRN4PJnoQQ@public.gmane.org> To: rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org Date: Tue, 22 Mar 2005 17:10:24 -0800 Subject: [Rails] Login Authentication ? Hi, I am still a total newbie to Ruby and Rails, but I was wondering: what is the accepted solution in Rails to to login authentication ? I.e., I want to build a simple site where users can register and login -- is there support for that ? I realize that Rails is just a framework, and not a full-scale CMS, but just in case... Also, more importantly, where would I go to learn stuff like that ? I found lots of Rails tutorials, and lots of low-level APIs, but the former are too simple, and the latter are too numerous. _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Peter-Frank Spierenburg wrote:>I''ve begun working on an authentication/permissions system for Rails which stores both authentication and permission information in the underlying database. Is there any interest? And if so, what might the best forum for presenting this be? > >I know virtually nothing about Rails, but I have developed a major CMS from scratch before. Let me give you a fair warning: a proper implementation of authentication and permissions is really, really hard to do. This has nothing to do with the language or framework that you''re working with -- the problem is conceptually hard. It gets a lot easier if you don''t care about efficiency, but then your server might never grow to be "enterprise-class" (or whatever the lates buzzword for "many simultaneous users" is). The problem here is that every potential action needs to be authenitcated, transparently from the user, and as transparently as possible from the programmer. When you get into hierarchies of objects which inherit permissions from one another, you end up with either a very slow data structure, a mess from hell, or both. I could pontificate more about it, but I should probably shut up now :-)
On Wed, 23 Mar 2005 00:48:19 -0800, Stanislav Freidin <bugmaster-ihVZJaRskl1bRRN4PJnoQQ@public.gmane.org> wrote:> The problem here is that every potential action needs to be > authenitcated, transparently from the user, and as transparently as > possible from the programmer. When you get into hierarchies of objects > which inherit permissions from one another, you end up with either a > very slow data structure, a mess from hell, or both. I could pontificate > more about it, but I should probably shut up now :-)Login generator makes it easy. Just put it in, and enable it for whatever actions you want to protect. You can even easily write tests to ensure that logged-out users are unable to access your protected actions. Is this what you are talking about? I know what you mean by saying the login/authentication system is difficult... I''ve never implemented a full CMS before, but I did once undertake a large database-backed perl project once, and I got as far as implementing the user login system (but no permission system, only ability to register account and log in), before giving up, it was hard (and I was even good with perl!). I''m a total newbie to ruby, but in rails I just plug in the login generator and away I go. Between the login generator and the pagination helper, half my project is done for me ;) -- One Guy With A Camera http://rbpark.ath.cx
Rob Park <rbpark-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:> On Wed, 23 Mar 2005 00:48:19 -0800, Stanislav Freidin > <bugmaster-ihVZJaRskl1bRRN4PJnoQQ@public.gmane.org> wrote: >> The problem here is that every potential action needs to be >> authenitcated, transparently from the user, and as transparently as >> possible from the programmer. When you get into hierarchies of objects >> which inherit permissions from one another, you end up with either a >> very slow data structure, a mess from hell, or both. I could pontificate >> more about it, but I should probably shut up now :-) > > Login generator makes it easy. Just put it in, and enable it for > whatever actions you want to protect. You can even easily write tests > to ensure that logged-out users are unable to access your protected > actions. Is this what you are talking about?The login generator is great. As pointed out though, authentication isn''t authorization. The login generator only really helps with authentication. It''s a one size fits all authorization. However, it''s not to hard to ramp up some. Even as a total newbie I was able to add an admin_required filter similar to login_required with tests and everything in a couple evenings. This buys me two-level authorization. Obviously, this doesn''t scale too well for a full blown access control list. My point is that the login generator is great and I really like it; just don''t discount the complexity of ACLs. -- doug-jGAhs73c5XxeoWH0uzbU5w@public.gmane.org
I''ve been trying to get my head around the sort of authentication needed for a system I''m building. It''s difficult because I don''t just need people to be "authenticated" but I need to decide from the username of the logged-in individual which "account" they are tied to. So say I have a database of "to-do''s" I need to know which to-do lists belong to this particular user. I''m sure a great many applications need functionality like this, but none of the authentication demos really seem to touch on this. They''re not even specific about how to structure the user account database. I would more than anything love to see a Rails demo of how to build this type of system. Has anyone written such a tutorial? I''ve looked around quite a bit and only the "publication app" example in the Wiki comes close to showing this kind of functionality, but it''s a bit old (for Rails!) and some of the code doesn''t even work as written, so it''s difficult. Any help in this department would be *greatly* appreciated!!! Thanks, Raymond On Mar 23, 2005, at 7:03 AM, Doug Alcorn wrote:> Rob Park <rbpark-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes: > >> On Wed, 23 Mar 2005 00:48:19 -0800, Stanislav Freidin >> <bugmaster-ihVZJaRskl1bRRN4PJnoQQ@public.gmane.org> wrote: >>> The problem here is that every potential action needs to be >>> authenitcated, transparently from the user, and as transparently as >>> possible from the programmer. When you get into hierarchies of >>> objects >>> which inherit permissions from one another, you end up with either a >>> very slow data structure, a mess from hell, or both. I could >>> pontificate >>> more about it, but I should probably shut up now :-) >> >> Login generator makes it easy. Just put it in, and enable it for >> whatever actions you want to protect. You can even easily write tests >> to ensure that logged-out users are unable to access your protected >> actions. Is this what you are talking about? > > The login generator is great. As pointed out though, authentication > isn''t authorization. The login generator only really helps with > authentication. It''s a one size fits all authorization. However, > it''s not to hard to ramp up some. Even as a total newbie I was able > to add an admin_required filter similar to login_required with tests > and everything in a couple evenings. This buys me two-level > authorization. Obviously, this doesn''t scale too well for a full > blown access control list. > > My point is that the login generator is great and I really like it; > just don''t discount the complexity of ACLs. > -- > doug-jGAhs73c5XxeoWH0uzbU5w@public.gmane.org > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
On Thursday, April 7, 2005, 10:36:52 AM, Raymond wrote:> I''ve been trying to get my head around the sort of authentication > needed for a system I''m building. It''s difficult because I don''t just > need people to be "authenticated" but I need to decide from the > username of the logged-in individual which "account" they are tied to. > So say I have a database of "to-do''s" I need to know which to-do lists > belong to this particular user.> I''m sure a great many applications need functionality like this, but > none of the authentication demos really seem to touch on this. They''re > not even specific about how to structure the user account database. I > would more than anything love to see a Rails demo of how to build this > type of system.> Has anyone written such a tutorial? I''ve looked around quite a bit and > only the "publication app" example in the Wiki comes close to showing > this kind of functionality, but it''s a bit old (for Rails!) and some of > the code doesn''t even work as written, so it''s difficult.> Any help in this department would be *greatly* appreciated!!!Peudocode, assuming you''re using the LoginGenerator: table users ( id int auto_incrememt, login varchar(20) ... ) table todos ( id int auto_increment, user_id int, todo text ) class User < AR::Base has_many :todos end class Todo < AR::Base belongs_to :user def find_by_user(user) find_all ["user_id = ?", user.id] end end class TodoController before_filter :login_required # This is to list all the todos of the _logged-in user_. # We know "current_user" is valid because login is required before # accessing this action. def list @todos = Todo.find_by_user(current_user) end end module ApplicationHelper def current_user @session[''user''] end def logged_in? current_user != nil end end Now if you point your app to http://localhost:3000/todo/list (or whatever), you''ll get the list of todos for the currenty logged in user. That''s the way I''m doing it. Others would have an explicit ID, as in http://localhost:3000/todo/list/13 for user #13''s todos. You can use both: implicit user for private (logged-in) view; explicit user for public (anonymous) view. I haven''t dealt with an "account" as such, but hopefully this will get you going. Cheers, Gavin
On 07/04/2005, at 10:36 AM, Raymond Brigleb wrote:> I''ve been trying to get my head around the sort of authentication > needed for a system I''m building. It''s difficult because I don''t just > need people to be "authenticated" but I need to decide from the > username of the logged-in individual which "account" they are tied to. > So say I have a database of "to-do''s" I need to know which to-do lists > belong to this particular user.Your auth system should place the current user in a session variable. You could either access it using from the session, or have a before_filter in your application controller which sets it as an instance variable (which is a good idea). Then you can just access it by saying @user. Then you can access your "to-do''s" using @user.todos (assuming User has_many :todos)> I''m sure a great many applications need functionality like this, but > none of the authentication demos really seem to touch on this. They''re > not even specific about how to structure the user account database. I > would more than anything love to see a Rails demo of how to build this > type of system.Have you looked at the login generator? Its the de facto Rails way of authentication. It also gives you the SQL to create your User table.> Has anyone written such a tutorial? I''ve looked around quite a bit and > only the "publication app" example in the Wiki comes close to showing > this kind of functionality, but it''s a bit old (for Rails!) and some > of the code doesn''t even work as written, so it''s difficult.See above. - tim lucas
On Thursday, April 7, 2005, 11:40:39 AM, Gavin wrote:> @todos = Todo.find_by_user(current_user)After reading Tim''s post in this thread, I realised that''s about the dumbest thing I''ve ever done. It should be: @todos = current_user.todos P.S. Another tip with this authentication stuff. I don''t want to have to log in every time I want to (manually) test the app, which is very often. So: class ApplicationController before_filter :initialise_user private def initialise_user session[''user''] = User.find(1) end end That way, the "before_filter :login_required" condition in the Todo controller (or whatever) is satisfied. Cheers, Gavin
On Apr 7, 2005 1:56 PM, Gavin Sinclair <gsinclair-81uBx+iSpXA0n/F98K4Iww@public.gmane.org> wrote:> On Thursday, April 7, 2005, 11:40:39 AM, Gavin wrote: > > > @todos = Todo.find_by_user(current_user) > > After reading Tim''s post in this thread, I realised that''s about the > dumbest thing I''ve ever done. It should be: > > @todos = current_user.todos > > P.S. Another tip with this authentication stuff. I don''t want to have > to log in every time I want to (manually) test the app, which is very > often. So: > > class ApplicationController > before_filter :initialise_user > > private > > def initialise_user > session[''user''] = User.find(1) > end > end > > That way, the "before_filter :login_required" condition in the Todo > controller (or whatever) is satisfied.... i.e no one has to login ever? Where are these sites of yours? Can I get cash from any of them? ;) I presume you turn this off for production environments?> Cheers, > Gavin > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Cheers Koz
On Apr 6, 2005 7:56 PM, Gavin Sinclair <gsinclair-81uBx+iSpXA0n/F98K4Iww@public.gmane.org> wrote:> class ApplicationController > before_filter :initialise_user > > private > > def initialise_user > session[''user''] = User.find(1) > end > end > > That way, the "before_filter :login_required" condition in the Todo > controller (or whatever) is satisfied.It makes a lot more sense to do this in your actual tests than in the controller. Then you can also put in tests to make sure that it _doesn''t_ work when the user is logged out. -- Urban Artography http://artography.ath.cx
Gavin, On 7.4.2005, at 04:40, Gavin Sinclair wrote:> > class Todo < AR::Base > belongs_to :user > def find_by_user(user) > find_all ["user_id = ?", user.id] > end > endAR nowadays automatically creates finder methods for all attributes of a class. You will always have find_by_attributeA and find_all_by_attributeA at hand. So there''s no need to explicitly create a find_by_user method anymore. //jarkko -- Jarkko Laine http://jlaine.net http://odesign.fi _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
On Thursday, April 7, 2005, 3:06:01 PM, Rob wrote:> On Apr 6, 2005 7:56 PM, Gavin Sinclair > <gsinclair-81uBx+iSpXA0n/F98K4Iww@public.gmane.org> wrote: >> class ApplicationController >> before_filter :initialise_user >> >> private >> >> def initialise_user >> session[''user''] = User.find(1) >> end >> end >> >> That way, the "before_filter :login_required" condition in the Todo >> controller (or whatever) is satisfied.> It makes a lot more sense to do this in your actual tests than in the > controller. Then you can also put in tests to make sure that it > _doesn''t_ work when the user is logged out.Yep, but I wasn''t talking about unit testing; I was talking about "manual" testing; i.e. manually interacting with the running app and seeing that things are working. That''s partially testing, but mostly just iterating the development. Gavin