Jesse P.
2007-Aug-03 02:36 UTC
Redirection as POST to enable authentication for POST actions
Hi all, I am wondering if anyone can help me or has had similar experiences before: I am trying to authenticate users before allowing them to access certain actions (create, update, destroy) in my controller, e.g. items_controller. I have done this by using a before_filter that redirects them to a users_controller if session[:login] is nil. (e.g. items/update/25 redirects to users/login) What I want to do is: 1. Preserve the original paramaters in all redirections (from items/ update/25 to users/login, users/login to users/authenticate, and users/ authenticate to items/update/25) 2. To make the authentication transparent to the actions (they need not care/know if the incoming request is a redirection due to authentication or if its a normal request). I have come up with this incomplete solution: 1. I use flash to propagate the parameters (request.parameters) from items/update/25 to users/login to users/authenticate to items/update/ 25. I wasnt able to use session variables because it doesnt seem to be preserved across controllers (im not so sure about the reason). 2. I manually inserted the parameters back into params by applying a before_filter for the actions (create, update, destroy) The problem I have for the above solution is: 1. Its not very transparent as I have to manually insert the parameters back to params, but worst of all 2. The redirection causes the request to become a GET not a POST and I have to turn off the verify code (the one generated by scaffolding) that restricts Create, Update, and Destroy actions to POST. Does anyone have any advice for the above? Best regards, Jesse P. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Pratik
2007-Aug-03 12:43 UTC
Re: Redirection as POST to enable authentication for POST actions
See how restful_authentication plugin does it. Check #store_location in http://svn.techno-weenie.net/projects/plugins/restful_authentication/generators/authenticated/templates/authenticated_system.rb On 8/3/07, Jesse P. <j.prabawa-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Hi all, > > I am wondering if anyone can help me or has had similar experiences > before: > > I am trying to authenticate users before allowing them to access > certain actions (create, update, destroy) in my controller, e.g. > items_controller. I have done this by using a before_filter that > redirects them to a users_controller if session[:login] is nil. (e.g. > items/update/25 redirects to users/login) > > What I want to do is: > 1. Preserve the original paramaters in all redirections (from items/ > update/25 to users/login, users/login to users/authenticate, and users/ > authenticate to items/update/25) > 2. To make the authentication transparent to the actions (they need > not care/know if the incoming request is a redirection due to > authentication or if its a normal request). > > I have come up with this incomplete solution: > 1. I use flash to propagate the parameters (request.parameters) from > items/update/25 to users/login to users/authenticate to items/update/ > 25. I wasnt able to use session variables because it doesnt seem to be > preserved across controllers (im not so sure about the reason). > 2. I manually inserted the parameters back into params by applying a > before_filter for the actions (create, update, destroy) > > The problem I have for the above solution is: > 1. Its not very transparent as I have to manually insert the > parameters back to params, but worst of all > 2. The redirection causes the request to become a GET not a POST and I > have to turn off the verify code (the one generated by scaffolding) > that restricts Create, Update, and Destroy actions to POST. > > Does anyone have any advice for the above? > > Best regards, > > Jesse P. > > > > >-- Cheers! - Pratik http://m.onkey.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Jesse P.
2007-Aug-05 03:22 UTC
Re: Redirection as POST to enable authentication for POST actions
Hi Pratik, I have read the code you mentioned and I doesnt even seem to save the parameters, yet along handle POST. It merely does redirect_to from a saved URI. Best regards, Jesse On Aug 3, 8:43 pm, Pratik <pratikn...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> See how restful_authentication plugin does it. > > Check #store_location inhttp://svn.techno-weenie.net/projects/plugins/restful_authentication/... > > On 8/3/07, Jesse P. <j.prab...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > > > Hi all, > > > I am wondering if anyone can help me or has had similar experiences > > before: > > > I am trying to authenticate users before allowing them to access > > certain actions (create, update, destroy) in my controller, e.g. > > items_controller. I have done this by using a before_filter that > > redirects them to a users_controller if session[:login] is nil. (e.g. > > items/update/25 redirects to users/login) > > > What I want to do is: > > 1. Preserve the original paramaters in all redirections (from items/ > > update/25 to users/login, users/login to users/authenticate, and users/ > > authenticate to items/update/25) > > 2. To make the authentication transparent to the actions (they need > > not care/know if the incoming request is a redirection due to > > authentication or if its a normal request). > > > I have come up with this incomplete solution: > > 1. I use flash to propagate the parameters (request.parameters) from > > items/update/25 to users/login to users/authenticate to items/update/ > > 25. I wasnt able to use session variables because it doesnt seem to be > > preserved across controllers (im not so sure about the reason). > > 2. I manually inserted the parameters back into params by applying a > > before_filter for the actions (create, update, destroy) > > > The problem I have for the above solution is: > > 1. Its not very transparent as I have to manually insert the > > parameters back to params, but worst of all > > 2. The redirection causes the request to become a GET not a POST and I > > have to turn off the verify code (the one generated by scaffolding) > > that restricts Create, Update, and Destroy actions to POST. > > > Does anyone have any advice for the above? > > > Best regards, > > > Jesse P. > > -- > Cheers! > - Pratikhttp://m.onkey.org--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Shai Rosenfeld
2007-Aug-05 11:02 UTC
Re: Redirection as POST to enable authentication for POST ac
Hi Jesse, i don''t think you should be having the problems you''re having ... an authenticated system is pretty straight-forward, and i think all the answers to your problems shouldn''t be too hard to catch, if using you''re using http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated there are docs and all... if you are using this, and are still having trouble, maybe you should paste some code so we can dig in a little bit to as what the exact problem is: *) passing variables via flash, is a pretty bad practice... i personally wouldn''t do that *) session variables should definitely be passed through controllers, so that problem is probably more technical rather than a RoR problem. maybe u should post some code -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Jesse P.
2007-Aug-06 07:41 UTC
Re: Redirection as POST to enable authentication for POST ac
Hi Shai, Thanks for your comments. For the parameters, I am now using session variables and it works across controllers (im not sure why it didnt work the other time). But as for acts_as_authenticated, I have seen the code and it doesnt store any parameters from the original request. It merely stores the URI. After authentication, it redirects to the saved URI in the session variable. There are 2 problems with this: 1. I want to be able to save the parameters from the original request 2. I want to redirect as POST not GET to the original URI In light of the above, I dont think acts_as_authenticated will work for me. In your experience, do you have any other possible suggestions? Thanks, Jesse On Aug 5, 7:02 pm, Shai Rosenfeld <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> HiJesse, > > i don''t think you should be having the problems you''re having ... an > authenticated system is pretty straight-forward, and i think all the > answers to your problems shouldn''t be too hard to catch, if using you''re > using > > http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated > > there are docs and all... > if you are using this, and are still having trouble, maybe you should > paste some code so we can dig in a little bit to as what the exact > problem is: > > *) passing variables via flash, is a pretty bad practice... i personally > wouldn''t do that > *) session variables should definitely be passed through controllers, so > that problem is probably more technical rather than a RoR problem. maybe > u shouldpostsome code > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ashley Thomas
2007-Aug-06 12:50 UTC
Re: Redirection as POST to enable authentication for POST ac
I''m interested in this too. Something like this can occur if a user starts a form while authenticated, but then submits it after their authentication has timed out. I want to be able to reauthenticate them with a minimum of fuss and get back to handling their POST without making them start the form over again or back-button back to the form. One possibility is to have the action allow GET requests in which case it looks in the session to see if there''s data intended for that action. But you''d have to do this for every single form-handling action. Maybe it could be handled in ActionController''s before_filter: if a GET request''s action matches the name of the action stored in the session data as the intended target for the session''s stored POST data, then stuff that session data into params. I''m a little concerned about such session data getting orphaned or stale. If the user failed to authenticate, or just wandered off somewhere else, how would that session data get removed? What happens if they start the form over differently with old form data still sitting in their session? I don''t think there''s a way to redirect as a POST request. A redirect is just a message to the user''s browser saying, hey, this page has moved, here''s the new address, and it''s up to the browser to decide what to do, and they all just submit GET requests for the new page. This issue seems like such an obvious thing, that it makes me worried that there isn''t an obvious rails pattern or plug-in for this. Maybe other designers are punting on this or designing apps in such a way that it never comes up. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Rick Olson
2007-Aug-06 14:28 UTC
Re: Redirection as POST to enable authentication for POST ac
> This issue seems like such an obvious thing, that it makes me worried > that there isn''t an obvious rails pattern or plug-in for this. Maybe > other designers are punting on this or designing apps in such a way that > it never comes up.Bingo, check out the restful_authentication plugin. http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated http://svn.techno-weenie.net/projects/plugins/restful_authentication/ http://svn.techno-weenie.net/projects/plugins/acts_as_authenticated/ -- Rick Olson http://lighthouseapp.com http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ashley Thomas
2007-Aug-06 15:38 UTC
Re: Redirection as POST to enable authentication for POST ac
Rick, I looked at restful_authentication (just your second link). I see it storing the url to redirect back to after authentication (authenticated_system.rb#login_required -> access_denied -> store_location), but I don''t see it storing POST data (params) for later use. Where does that happen? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---