Rails - Jun 2008 - How to have users who can only view his/her own stuff.

I know that it is better to have codes when asking questions here, but
I have none, which is kind of why I am asking.

I want to make a to-do list for my friends and family, I learned from
the Agile Development With Rails to make an administrator login. But I
don''t seem to be able to figure out how to create users each of which
is restricted to view his or her own pages within the application.

Is there any tutorials/book on this?

Thank You
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 13 Jun 2008, at 01:32, Nik wrote:
>
> I know that it is better to have codes when asking questions here, but
> I have none, which is kind of why I am asking.
>
> I want to make a to-do list for my friends and family, I learned from
> the Agile Development With Rails to make an administrator login. But I
> don''t seem to be able to figure out how to create users each of
which
> is restricted to view his or her own pages within the application.
Slightly open ended question, but if you''re asking what I think you  
are then typically you just let the association methods do the work  
for you. Eg if User has_many :foos then instead of using  
Foo.find :all, use some_user.foos.find :all, which guarantees that you  
will only ever get things belonging to that user (it behaves like a  
regular find apart from that, so you can pass conditions, a specific  
id etc...)


Fred 

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jun 12, 2008, at 5:42 PM, Frederick Cheung wrote:
> On 13 Jun 2008, at 01:32, Nik wrote:
>
>> I know that it is better to have codes when asking questions here,  
>> but
>> I have none, which is kind of why I am asking.
>>
>> I want to make a to-do list for my friends and family, I learned from
>> the Agile Development With Rails to make an administrator login.  
>> But I
>> don''t seem to be able to figure out how to create users each
of which
>> is restricted to view his or her own pages within the application.
>
> Slightly open ended question, but if you''re asking what I think
you
> are then typically you just let the association methods do the work
> for you. Eg if User has_many :foos then instead of using
> Foo.find :all, use some_user.foos.find :all, which guarantees that you
> will only ever get things belonging to that user (it behaves like a
> regular find apart from that, so you can pass conditions, a specific
> id etc...)
For more on that line of thought...

http://www.therailsway.com/reference
http://jamesgolick.com/2008/2/11/an-introduction-to-association-proxy

-- gw



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi

I will just explain u with simple basic logic..When u want to restrict 
the page or make something available to the related user only u can 
easily give user restriction..

each and every user have their own id..So first u can fetch the id of 
the user that has logged in and after that u can check in the user table 
whose id is that..

once u have completed that work u just need to fire a query which will 
display all the tast where user = to the current user who has logged 
in..

this is the simple login which can be easily translated into code..even 
with the basic rails knowlege


Thanks

Dhaval Parikh
Software Engineer
www.railshouse.com
sales(AT)railshouse(DOT)com
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

My most sincere thanks to you all.

All GREAT!. And they will serve me to unveil the eventual codes that
will get me to the target functionality.

I have thought about the limiting all tasks found according to the
logged-in user ID, hence
@errands = Errand.find(:all, :condition =>''user_id
=?'',''logged_in_id'')

But is this better(?):
@errands = User(logged_in_id).errands?

I mean, they fetch the same errands, but security-wise, which would
you prefer and if it is not too much trouble, why?

Hope you had a nice weekend!
And really, thanks so much for writing back! If you''re in Berlin, let
me buy you a bier.

All my best,

On Jun 13, 9:03 am, Dhaval Parikh
<rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
> Hi
>
> I will just explain u with simple basic logic..When u want to restrict
> the page or make something available to the relateduseronly u can
> easily giveuserrestriction..
>
> each and everyuserhave their own id..So first u can fetch the id of
> theuserthat has logged in and after that u can check in theusertable
> whose id is that..
>
> once u have completed that work u just need to fire a query which will
> display all the tast whereuser= to the currentuserwho has logged
> in..
>
> this is the simple login which can be easily translated into code..even
> with the basic rails knowlege
>
> Thanks
>
> Dhaval Parikh
> Software Engineerwww.railshouse.com
> sales(AT)railshouse(DOT)com
> --
> Posted viahttp://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> I have thought about the limiting all tasks found according to the
> logged-in user ID, hence
> @errands = Errand.find(:all, :condition =>''user_id
=?'',''logged_in_id'')
>
> But is this better(?):
> @errands = User(logged_in_id).errands?
you mean
> @errands = User.find(logged_in_id).errands?
which is the better one.
Only that most people would either use a plugin for the login stuff or
at least
put that in helpers and before_filters

something like:

def current_login
  @current_login ||= Login.find(session[:login]) if session[:login]
end

in application.rb

then
current_login.errands

or whatever you look for.
From security view it''s all the same, as long as you
make sure only to list errands that have the user_id of the logged in
user
(And this must be the one stored in the session after authentication,
no id that comes from the browser)
The association like thing current_login.errands is just more Ruby
like
and better to read.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks for your help Thorsten, -- I was on a 25 hour day schedule and
put off this until today. --- I used the "login system" provided as an
example in the book Agile Web Development with Rails. I think it works
okay so far.

May I ask one more (tougher) question?

Well, my co-worker and I were to work on this Macro for the office, so
I added a task in my own account, but it ''d be great if she can see
it, too, in her account. So it''s sort of like collaborating, but of
course, this is just a piece of read-only information to
''collaborate''
on. So now, I have this One User Can Have Many Tasks, AND One Task Can
Belong To Multiple Users thing. Is there an easy way to pull this off?

Thank You !
Merci!
Danke!
Nik



On Jun 16, 5:17 pm, Thorsten Müller
<thors...-1oxKqHKwyltBDgjK7y7TUQ@public.gmane.org>
wrote:
> > I have thought about the limiting all tasks found according to the
> > logged-in user ID, hence
> > @errands = Errand.find(:all, :condition =>''user_id
=?'',''logged_in_id'')
>
> > But is this better(?):
> > @errands = User(logged_in_id).errands?
>
> you mean
>
> > @errands = User.find(logged_in_id).errands?
>
> which is the better one.
> Only that most people would either use a plugin for the login stuff or
> at least
> put that in helpers and before_filters
>
> something like:
>
> def current_login
>   @current_login ||= Login.find(session[:login]) if session[:login]
> end
>
> in application.rb
>
> then
> current_login.errands
>
> or whatever you look for.
> From security view it''s all the same, as long as you
> make sure only to list errands that have the user_id of the logged in
> user
> (And this must be the one stored in the session after authentication,
> no id that comes from the browser)
> The association like thing current_login.errands is just more Ruby
> like
> and better to read.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Sure, that''s a has_and_belongs_to_many thing then.
This can be done two ways.
The simple one (needs no model):
create a relation table named users_tasks which contains user_id and
task_id

Users model:
has_and_belongs_to_many :tasks

Tasks model:
has_and_belongs_to_many :users

Then you can use all the common functions
@user.tasks << Task.new(...params...)
@user.tasks.each do |task|...
and so on

Disadvantage of this approach is, that you can''t store more
information
in the intermediate table and can''t access it in other ways, since it
has no
model of it''s own.
Lots of Rails programmers (if not most) go another way, slightly more
work to setup, but with more options:

Create a model name UserTasks (columns: id, user_id, :task_id and
whatever information you may need), then
User model:
has_many :user_tasks
has_many :tasks :through :user_tasks

Task:
has_many :user_tasks
has_many :users :through :user_tasks

UserTasks:
belongs_to :user
belongs_to :task

The tricky part (ok, not so tricky) is the through option which
defines
relations over the intermediate table, so in the end you can again do
@user.tasks
and get them all
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---