Hi everyone, New to Ruby/Rails and I''m having difficulty getting my head around how to use the Rails framework to create a webapp that has public areas and admin areas. For instance, I''m in the process of developing a company intranet site. Developing it in php, I created the public face of the site which is accessible to everyone in the company without login. And then I created the administration interface where, with login, a few select people can make changes to the database, upload files, etc. The file directory structure looking something like this... public/ css/ js/ folder1/ folder2/ admin/ (protected by login) ...create, update, delete files index.php However, the rails way of setting up the urls puts create, update and delete in the same directory as read. To me this seems to go against the logic of many sites that have a completely separate administrative area ... having all the "reads" in the root directory and all the creates, updates, and deletes in an admin directory. Is there a way to separate these out in Rails? Is there just an easier way of approaching this in Rails that I''m not seeing? I''d be interested to hear examples from others of how they have done this. Marc ==================DISCLAIMER===============================This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of it from your system. The sender accepts no responsibility for viruses and it is your responsibility to scan attachments (if any). No contracts may be concluded on behalf of the sender by means of email communications unless expressly stated to the contrary. ==================DISCLAIMER================================
You could run two rails apps -- one for administration and one for general users. From everything I can find, this might be the only way to have separate db users for administration and reading -- an unfortunate fact if true. As for things being stored side by side, it''s only the views that are stored that way, and they''re never hit directly. Your dispatcher is what is hit, and a given controller runs. You could map certain actions behind an "admin" folder in your url using routes. Something like http://site.com/admin/article/edit/1001/ and http://site.com//article/read/1001/ This isn''t done in the filesystem, but via routes. There are probably better ways of which I''m unaware :) Keep in mind that you''re stuck using a single DB user if you run one instance, though, which might open up a vulnerability or two depending on your code and whether any exploits are found in the framework, etc. On Jul 18, 2005, at 2:13 PM, Marc Love wrote:> Hi everyone, > > New to Ruby/Rails and I''m having difficulty getting my head around how > to use the Rails framework to create a webapp that has public areas > and > admin areas. > > For instance, I''m in the process of developing a company intranet > site. > Developing it in php, I created the public face of the site which is > accessible to everyone in the company without login. And then I > created > the administration interface where, with login, a few select people > can > make changes to the database, upload files, etc. The file directory > structure looking something like this... > > public/ > css/ > js/ > folder1/ > folder2/ > admin/ (protected by login) > ...create, update, delete files > index.php > > However, the rails way of setting up the urls puts create, update and > delete in the same directory as read. To me this seems to go against > the logic of many sites that have a completely separate administrative > area ... having all the "reads" in the root directory and all the > creates, updates, and deletes in an admin directory. > > Is there a way to separate these out in Rails? Is there just an > easier > way of approaching this in Rails that I''m not seeing? I''d be > interested > to hear examples from others of how they have done this. > > Marc > ==================DISCLAIMER===============================> This email may contain confidential and privileged material for the > sole use of the intended recipient. > Any review or distribution by others is strictly prohibited. If you > are not the intended recipient, please contact the sender and > delete all copies of it from your system. > The sender accepts no responsibility for viruses and it is your > responsibility to scan attachments (if any). > No contracts may be concluded on behalf of the sender by means of > email communications unless expressly stated to the contrary. > ==================DISCLAIMER===============================> > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
Hi Marc, The scaffolding, which puts all the CRUD operations in one controller, is just to help you get started. For example, you might want to have a page which shows your products and a page which lets you administer them (setting prices, description etc). You could do something like this: ./script/generate scaffold Product product_browser ./script/generate scaffold Product product_admin Now you have two controllers built from the same model, each with a complete set of CRUD operations. With this as a starting point, you can tailor the product_browser controller for public consumption, and the product_admin for secured access. Hope that helps give a bit of an overview? Just remember - the scaffolding is only a starting point. Cheers, Ben On 7/19/05, Marc Love <Marc.Love-w5+zYyZo3JRBDgjK7y7TUQ@public.gmane.org> wrote:> Hi everyone, > > New to Ruby/Rails and I''m having difficulty getting my head around how > to use the Rails framework to create a webapp that has public areas and > admin areas. > > For instance, I''m in the process of developing a company intranet site. > Developing it in php, I created the public face of the site which is > accessible to everyone in the company without login. And then I created > the administration interface where, with login, a few select people can > make changes to the database, upload files, etc. The file directory > structure looking something like this... > > public/ > css/ > js/ > folder1/ > folder2/ > admin/ (protected by login) > ...create, update, delete files > index.php > > However, the rails way of setting up the urls puts create, update and > delete in the same directory as read. To me this seems to go against > the logic of many sites that have a completely separate administrative > area ... having all the "reads" in the root directory and all the > creates, updates, and deletes in an admin directory. > > Is there a way to separate these out in Rails? Is there just an easier > way of approaching this in Rails that I''m not seeing? I''d be interested > to hear examples from others of how they have done this. > > Marc > ==================DISCLAIMER===============================> This email may contain confidential and privileged material for the sole use of the intended recipient. > Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of it from your system. > The sender accepts no responsibility for viruses and it is your responsibility to scan attachments (if any). > No contracts may be concluded on behalf of the sender by means of email communications unless expressly stated to the contrary. > ==================DISCLAIMER===============================> > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
On Mon, 2005-07-18 at 11:13 -0700, Marc Love wrote:> Hi everyone, > > New to Ruby/Rails and I''m having difficulty getting my head around how > to use the Rails framework to create a webapp that has public areas and > admin areas. > > For instance, I''m in the process of developing a company intranet site. > Developing it in php, I created the public face of the site which is > accessible to everyone in the company without login. And then I created > the administration interface where, with login, a few select people can > make changes to the database, upload files, etc. The file directory > structure looking something like this... > > public/ > css/ > js/ > folder1/ > folder2/ > admin/ (protected by login) > ...create, update, delete files > index.php > > However, the rails way of setting up the urls puts create, update and > delete in the same directory as read. To me this seems to go against > the logic of many sites that have a completely separate administrative > area ... having all the "reads" in the root directory and all the > creates, updates, and deletes in an admin directory. > > Is there a way to separate these out in Rails? Is there just an easier > way of approaching this in Rails that I''m not seeing? I''d be interested > to hear examples from others of how they have done this.There isn''t really much of a reason to separate them physically by URL when your code should know whether or not a user is logged in and therefore able to do certain actions. Look at the login generator or even the salted login generator. Both provide you with ways of protecting the sensitive methods from being called without being logged in, and even doing custom lookups to verify any tiered permissions system you want to create. Then in your views, you can conditionally add in the extra navigation UI when you detect the user has the permission to use it. Benefit is if you protected the methods with the filters from the login generators, you don''t have to rely on the absence of the UI to eliminate the ability to get to the methods. -- Steven Critchfield <critch-wQLwMjUOumVBDgjK7y7TUQ@public.gmane.org>
On Jul 18, 2005, at 11:13 AM, Marc Love wrote:> New to Ruby/Rails and I''m having difficulty getting my head around how > to use the Rails framework to create a webapp that has public areas > and > admin areas.I''m having difficulty wrapping my head against that as well. For example (in my problem space), if a program participant logs in, they can''t have access to the list view that shows all invited program participants. However, an admin (who may not themselves be a program participant) can. Obviously, it''s part of the same controller, but I don''t get how to wrap it all up.
You can: 1. provide protection on just those methods ( 1 controller for admin and public ) 2. write two separate apps. running on different fcgi processes... ports et al. this can be nice in that you can easily use different database logins et al 3. have base controllers that inherits from ApplicationController for both admin and public sections. put specifics in there and then have controller x in both public and admin sections... controllers/ x_controller admin/ x_controller where x_controller is like XController Admin::XController people have been refering to typo a lot because it does this sort of thing... i like either 2 or 3 personally... Marc Love wrote:>Hi everyone, > >New to Ruby/Rails and I''m having difficulty getting my head around how >to use the Rails framework to create a webapp that has public areas and >admin areas. > >For instance, I''m in the process of developing a company intranet site. > Developing it in php, I created the public face of the site which is >accessible to everyone in the company without login. And then I created >the administration interface where, with login, a few select people can >make changes to the database, upload files, etc. The file directory >structure looking something like this... > >public/ > css/ > js/ > folder1/ > folder2/ > admin/ (protected by login) > ...create, update, delete files > index.php > >However, the rails way of setting up the urls puts create, update and >delete in the same directory as read. To me this seems to go against >the logic of many sites that have a completely separate administrative >area ... having all the "reads" in the root directory and all the >creates, updates, and deletes in an admin directory. > >Is there a way to separate these out in Rails? Is there just an easier >way of approaching this in Rails that I''m not seeing? I''d be interested >to hear examples from others of how they have done this. > >Marc >==================DISCLAIMER===============================>This email may contain confidential and privileged material for the sole use of the intended recipient. >Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of it from your system. >The sender accepts no responsibility for viruses and it is your responsibility to scan attachments (if any). >No contracts may be concluded on behalf of the sender by means of email communications unless expressly stated to the contrary. >==================DISCLAIMER===============================> >_______________________________________________ >Rails mailing list >Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org >http://lists.rubyonrails.org/mailman/listinfo/rails > > >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
I understand what you''re saying Steven and thanks for the response. However, I think sometimes there is a need to separate out your administrative functions completely from the standard user interface. The functions are too involved to reasonably incorporate them into the standard user view template. And that''s where the basis of my question was. I need to create an admin control panel essentially to maintain the backend of my webapp. It looks like the solution is to create two separate rails apps, one with only viewing capabilities and one for my admin control panel.>>> critch-wQLwMjUOumVBDgjK7y7TUQ@public.gmane.org 07/18/05 11:33AM >>>On Mon, 2005-07-18 at 11:13 -0700, Marc Love wrote:> Hi everyone, > > New to Ruby/Rails and I''m having difficulty getting my head aroundhow> to use the Rails framework to create a webapp that has public areasand> admin areas. > > For instance, I''m in the process of developing a company intranetsite.> Developing it in php, I created the public face of the site whichis> accessible to everyone in the company without login. And then Icreated> the administration interface where, with login, a few select peoplecan> make changes to the database, upload files, etc. The file directory > structure looking something like this... > > public/ > css/ > js/ > folder1/ > folder2/ > admin/ (protected by login) > ...create, update, delete files > index.php > > However, the rails way of setting up the urls puts create, updateand> delete in the same directory as read. To me this seems to goagainst> the logic of many sites that have a completely separateadministrative> area ... having all the "reads" in the root directory and all the > creates, updates, and deletes in an admin directory. > > Is there a way to separate these out in Rails? Is there just aneasier> way of approaching this in Rails that I''m not seeing? I''d beinterested> to hear examples from others of how they have done this.There isn''t really much of a reason to separate them physically by URL when your code should know whether or not a user is logged in and therefore able to do certain actions. Look at the login generator or even the salted login generator. Both provide you with ways of protecting the sensitive methods from being called without being logged in, and even doing custom lookups to verify any tiered permissions system you want to create. Then in your views, you can conditionally add in the extra navigation UI when you detect the user has the permission to use it. Benefit is if you protected the methods with the filters from the login generators, you don''t have to rely on the absence of the UI to eliminate the ability to get to the methods. -- Steven Critchfield <critch-wQLwMjUOumVBDgjK7y7TUQ@public.gmane.org> _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails ==================DISCLAIMER===============================This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of it from your system. The sender accepts no responsibility for viruses and it is your responsibility to scan attachments (if any). No contracts may be concluded on behalf of the sender by means of email communications unless expressly stated to the contrary. ==================DISCLAIMER================================
You can do this by using before_filter. See: http://api.rubyonrails.com/classes/ActionController/Filters/ ClassMethods.html for the full docs. Examples: Checks for a valid login by calling login_required before any action takes place, except for the "about" and "register" actions: before_filter :login_required, :except => [:about, :register] In an mixed controller you could have: before_filter :login_required # for all actions before_filter :administrative_rights_required, :only => [:list, :destroy, :edit] # only for these This will check for both things before "matching" actions of the controller take place. if you dont'' want the action executed, you''d have to redirect in the filters. in my case, login_required checks for the session having a :user object and if that :user object is still ok, administrative_rights_required checks for the current user having the "admin" right (i''ve a :has_many rights in my user model). this method looks like this: def administrative_rights_required access_denied unless session[:user].allowed?(''admin'') end and the allowed? method on the user model checks if the user has any right of the name of the given parameter. Thomas Am 18.07.2005 um 20:36 schrieb Deirdre Saoirse Moen:> On Jul 18, 2005, at 11:13 AM, Marc Love wrote: > > >> New to Ruby/Rails and I''m having difficulty getting my head around >> how >> to use the Rails framework to create a webapp that has public >> areas and >> admin areas. >> > > I''m having difficulty wrapping my head against that as well. For > example (in my problem space), if a program participant logs in, > they can''t have access to the list view that shows all invited > program participants. However, an admin (who may not themselves be > a program participant) can. Obviously, it''s part of the same > controller, but I don''t get how to wrap it all up. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
Thank you very much for your emails. That totally makes sense. I need to make two separate apps. One for my end users with view only capability and one for my administrators for my admin control panel. Then, of course, later if I want to add a login system to the end users'' interface, I''ll just update my controllers and views.>>> Sean T Allen 07/18/05 11:41AM >>>You can: 1. provide protection on just those methods ( 1 controller for admin and public ) 2. write two separate apps. running on different fcgi processes... ports et al. this can be nice in that you can easily use different database logins et al 3. have base controllers that inherits from ApplicationController for both admin and public sections. put specifics in there and then have controller x in both public and admin sections... controllers/ x_controller admin/ x_controller where x_controller is like XController Admin::XController people have been refering to typo a lot because it does this sort of thing... i like either 2 or 3 personally...>>> Ben Myles <ben.myles-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> 07/18/05 11:29AM >>>Hi Marc, The scaffolding, which puts all the CRUD operations in one controller, is just to help you get started. For example, you might want to have a page which shows your products and a page which lets you administer them (setting prices, description etc). You could do something like this: ./script/generate scaffold Product product_browser ./script/generate scaffold Product product_admin Now you have two controllers built from the same model, each with a complete set of CRUD operations. With this as a starting point, you can tailor the product_browser controller for public consumption, and the product_admin for secured access. Hope that helps give a bit of an overview? Just remember - the scaffolding is only a starting point. Cheers, Ben On 7/19/05, Marc Love <Marc.Love-w5+zYyZo3JRBDgjK7y7TUQ@public.gmane.org> wrote:> Hi everyone, > > New to Ruby/Rails and I''m having difficulty getting my head aroundhow> to use the Rails framework to create a webapp that has public areasand> admin areas. > > For instance, I''m in the process of developing a company intranetsite.> Developing it in php, I created the public face of the site whichis> accessible to everyone in the company without login. And then Icreated> the administration interface where, with login, a few select peoplecan> make changes to the database, upload files, etc. The file directory > structure looking something like this... > > public/ > css/ > js/ > folder1/ > folder2/ > admin/ (protected by login) > ...create, update, delete files > index.php > > However, the rails way of setting up the urls puts create, updateand> delete in the same directory as read. To me this seems to goagainst> the logic of many sites that have a completely separateadministrative> area ... having all the "reads" in the root directory and all the > creates, updates, and deletes in an admin directory. > > Is there a way to separate these out in Rails? Is there just aneasier> way of approaching this in Rails that I''m not seeing? I''d beinterested> to hear examples from others of how they have done this. > > Marc > ==================DISCLAIMER===============================> This email may contain confidential and privileged material for thesole use of the intended recipient.> Any review or distribution by others is strictly prohibited. If youare not the intended recipient, please contact the sender and delete all copies of it from your system.> The sender accepts no responsibility for viruses and it is yourresponsibility to scan attachments (if any).> No contracts may be concluded on behalf of the sender by means ofemail communications unless expressly stated to the contrary.> ==================DISCLAIMER===============================> > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails ==================DISCLAIMER===============================This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of it from your system. The sender accepts no responsibility for viruses and it is your responsibility to scan attachments (if any). No contracts may be concluded on behalf of the sender by means of email communications unless expressly stated to the contrary. ==================DISCLAIMER================================
On 7/19/05, Marc Love <Marc.Love-w5+zYyZo3JRBDgjK7y7TUQ@public.gmane.org> wrote: ...> the backend of my webapp. It looks like the solution is to create two > separate rails apps, one with only viewing capabilities and one for my > admin control panel.That''s one way to do it but certainly not the only way. You just need to create an admin controller and run a before_filter to provide your security checks (or use something like the salted login generator if you don''t want to roll your own). Ben
On Jul 18, 2005, at 11:59 AM, Thomas Fuchs wrote:> You can do this by using before_filter. > > See: http://api.rubyonrails.com/classes/ActionController/Filters/ > ClassMethods.html for the full docs.[...]> In an mixed controller you could have: > > before_filter :login_required # for all actions > before_filter :administrative_rights_required, :only => > [:list, :destroy, :edit] # only for these > > This will check for both things before "matching" actions of the > controller take place. if you dont'' want the action executed, you''d > have to redirect in the filters.That''s exactly what I was looking for. Thank you!
I prefer seperating out all the admin actions, so I move all the c[-r]ud actions into a single admin controller. Then I can create urls like /admin/:action/:id eg(/admin/update_product/5) and just put some protection on the entire admin controller. joshua
Joshua Bates wrote:> I prefer seperating out all the admin actions, so I move all the > c[-r]ud actions into a single admin controller. > Then I can create urls like /admin/:action/:id > eg(/admin/update_product/5) and just put some protection > on the entire admin controller. >I prefer this over the single controller method because I can have some assurance that no one will forget to protect methods that need to be protected... _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Steven, Perhaps this doesn''t answer your question, but you might take a look at how Typo does this. The admin screens are separated by url and the login filter is selectively applied to them. http://typo.leetsoft.com/trac/ Rob On 18-Jul-05, at 3:06 PM, Ben Myles wrote:> On 7/19/05, Marc Love <Marc.Love-w5+zYyZo3JRBDgjK7y7TUQ@public.gmane.org> wrote: > ... >> the backend of my webapp. It looks like the solution is to create two >> separate rails apps, one with only viewing capabilities and one for my >> admin control panel. > > That''s one way to do it but certainly not the only way. > > You just need to create an admin controller and run a before_filter to > provide your security checks (or use something like the salted login > generator if you don''t want to roll your own). > > Ben > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >