Rails - Apr 2009 - role_requirement question

I am using restful_authentication in combination with role_requirment.

At the beginning of the controllers that I want to have login control
over, I include

require_role "user"
require_role "admin"

For instance. If I login as either of the two roles then call a
controller it works fine. However if I do not login at all and simply
call a controller, it let''s me right in. It doesn''t restrict
access
whatsoever. No redirect to a login page or nothing.

How do I restrict access if no user is logged in at all?

Thanks
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

You could use a before_filter in combination with the AuthenticatedSystem
Module. Just add the following in your controller:
before_filter :login_required

You can also give the filter more options in case you want the login only
for a couple of specific actions, or for all actions but one...

On Mon, Apr 13, 2009 at 6:23 PM, elliottg <x@simplecircle.net> wrote:
>
> I am using restful_authentication in combination with role_requirment.
>
> At the beginning of the controllers that I want to have login control
> over, I include
>
> require_role "user"
> require_role "admin"
>
> For instance. If I login as either of the two roles then call a
> controller it works fine. However if I do not login at all and simply
> call a controller, it let''s me right in. It doesn''t
restrict access
> whatsoever. No redirect to a login page or nothing.
>
> How do I restrict access if no user is logged in at all?
>
> Thanks
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks for the input.

I tried using before_filter :login_required along with the
require_role calls but it doesn''t work either.

Maybe there''s a conflict between the two plugins?

Any thoughts?

Thanks

On Apr 13, 12:26 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> You could use a before_filter in combination with the AuthenticatedSystem
> Module. Just add the following in your controller:
> before_filter :login_required
>
> You can also give the filter more options in case you want the login only
> for a couple of specific actions, or for all actions but one...
>
> On Mon, Apr 13, 2009 at 6:23 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org> wrote:
>
> > I am using restful_authentication in combination with role_requirment.
>
> > At the beginning of the controllers that I want to have login control
> > over, I include
>
> > require_role "user"
> > require_role "admin"
>
> > For instance. If I login as either of the two roles then call a
> > controller it works fine. However if I do not login at all and simply
> > call a controller, it let''s me right in. It doesn''t
restrict access
> > whatsoever. No redirect to a login page or nothing.
>
> > How do I restrict access if no user is logged in at all?
>
> > Thanks
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I''m using it right here in my own projects, they work alongside just
fine...
before_filter :login_required, :only => [ :change_password ]
  require_role "admin", :for => :edit, :unless => lambda {
|user,params|
    return params[:id].to_i==user.id
  }
  require_role "admin", :for => [:index, :init_mailing]

Not sure where your problem could be coming from...

On Mon, Apr 13, 2009 at 7:59 PM, elliottg <x@simplecircle.net> wrote:
>
> Thanks for the input.
>
> I tried using before_filter :login_required along with the
> require_role calls but it doesn''t work either.
>
> Maybe there''s a conflict between the two plugins?
>
> Any thoughts?
>
> Thanks
>
> On Apr 13, 12:26 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > You could use a before_filter in combination with the
AuthenticatedSystem
> > Module. Just add the following in your controller:
> > before_filter :login_required
> >
> > You can also give the filter more options in case you want the login
only
> > for a couple of specific actions, or for all actions but one...
> >
> > On Mon, Apr 13, 2009 at 6:23 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org> wrote:
> >
> > > I am using restful_authentication in combination with
role_requirment.
> >
> > > At the beginning of the controllers that I want to have login
control
> > > over, I include
> >
> > > require_role "user"
> > > require_role "admin"
> >
> > > For instance. If I login as either of the two roles then call a
> > > controller it works fine. However if I do not login at all and
simply
> > > call a controller, it let''s me right in. It
doesn''t restrict access
> > > whatsoever. No redirect to a login page or nothing.
> >
> > > How do I restrict access if no user is logged in at all?
> >
> > > Thanks
> >
> >
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

OK good to know. I may have broken something while modifying the one
of the plugins then.

Thanks heaps Niels, that has set me in the right direction at least.

Elliott

On Apr 13, 2:03 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I''m using it right here in my own projects, they work alongside
just fine...
> before_filter :login_required, :only => [ :change_password ]
>   require_role "admin", :for => :edit, :unless => lambda {
|user,params|
>     return params[:id].to_i==user.id
>   }
>   require_role "admin", :for => [:index, :init_mailing]
>
> Not sure where your problem could be coming from...
>
> On Mon, Apr 13, 2009 at 7:59 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org> wrote:
>
> > Thanks for the input.
>
> > I tried using before_filter :login_required along with the
> > require_role calls but it doesn''t work either.
>
> > Maybe there''s a conflict between the two plugins?
>
> > Any thoughts?
>
> > Thanks
>
> > On Apr 13, 12:26 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > You could use a before_filter in combination with the
AuthenticatedSystem
> > > Module. Just add the following in your controller:
> > > before_filter :login_required
>
> > > You can also give the filter more options in case you want the
login only
> > > for a couple of specific actions, or for all actions but one...
>
> > > On Mon, Apr 13, 2009 at 6:23 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org> wrote:
>
> > > > I am using restful_authentication in combination with
role_requirment.
>
> > > > At the beginning of the controllers that I want to have
login control
> > > > over, I include
>
> > > > require_role "user"
> > > > require_role "admin"
>
> > > > For instance. If I login as either of the two roles then
call a
> > > > controller it works fine. However if I do not login at all
and simply
> > > > call a controller, it let''s me right in. It
doesn''t restrict access
> > > > whatsoever. No redirect to a login page or nothing.
>
> > > > How do I restrict access if no user is logged in at all?
>
> > > > Thanks
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

You''re most welcome,
Good luck fixing!

On Mon, Apr 13, 2009 at 8:25 PM, elliottg <x@simplecircle.net> wrote:
>
> OK good to know. I may have broken something while modifying the one
> of the plugins then.
>
> Thanks heaps Niels, that has set me in the right direction at least.
>
> Elliott
>
> On Apr 13, 2:03 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > I''m using it right here in my own projects, they work
alongside just
> fine...
> > before_filter :login_required, :only => [ :change_password ]
> >   require_role "admin", :for => :edit, :unless =>
lambda { |user,params|
> >     return params[:id].to_i==user.id
> >   }
> >   require_role "admin", :for => [:index, :init_mailing]
> >
> > Not sure where your problem could be coming from...
> >
> > On Mon, Apr 13, 2009 at 7:59 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org> wrote:
> >
> > > Thanks for the input.
> >
> > > I tried using before_filter :login_required along with the
> > > require_role calls but it doesn''t work either.
> >
> > > Maybe there''s a conflict between the two plugins?
> >
> > > Any thoughts?
> >
> > > Thanks
> >
> > > On Apr 13, 12:26 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > You could use a before_filter in combination with the
> AuthenticatedSystem
> > > > Module. Just add the following in your controller:
> > > > before_filter :login_required
> >
> > > > You can also give the filter more options in case you want
the login
> only
> > > > for a couple of specific actions, or for all actions but
one...
> >
> > > > On Mon, Apr 13, 2009 at 6:23 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org>
> wrote:
> >
> > > > > I am using restful_authentication in combination with
> role_requirment.
> >
> > > > > At the beginning of the controllers that I want to have
login
> control
> > > > > over, I include
> >
> > > > > require_role "user"
> > > > > require_role "admin"
> >
> > > > > For instance. If I login as either of the two roles
then call a
> > > > > controller it works fine. However if I do not login at
all and
> simply
> > > > > call a controller, it let''s me right in. It
doesn''t restrict access
> > > > > whatsoever. No redirect to a login page or nothing.
> >
> > > > > How do I restrict access if no user is logged in at
all?
> >
> > > > > Thanks
> >
> >
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Actually

require_role "user"
require_role "admin"

should be enough to protect your actions. I do it like that in my
projects.

Nico


On Apr 13, 10:22 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> You''re most welcome,
> Good luck fixing!
>
> On Mon, Apr 13, 2009 at 8:25 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org> wrote:
>
> > OK good to know. I may have broken something while modifying the one
> > of the plugins then.
>
> > Thanks heaps Niels, that has set me in the right direction at least.
>
> > Elliott
>
> > On Apr 13, 2:03 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > I''m using it right here in my own projects, they work
alongside just
> > fine...
> > > before_filter :login_required, :only => [ :change_password ]
> > >   require_role "admin", :for => :edit, :unless =>
lambda { |user,params|
> > >     return params[:id].to_i==user.id
> > >   }
> > >   require_role "admin", :for => [:index,
:init_mailing]
>
> > > Not sure where your problem could be coming from...
>
> > > On Mon, Apr 13, 2009 at 7:59 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org> wrote:
>
> > > > Thanks for the input.
>
> > > > I tried using before_filter :login_required along with the
> > > > require_role calls but it doesn''t work either.
>
> > > > Maybe there''s a conflict between the two plugins?
>
> > > > Any thoughts?
>
> > > > Thanks
>
> > > > On Apr 13, 12:26 pm, Niels Nuyttens
<niels.nuytt...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > > You could use a before_filter in combination with the
> > AuthenticatedSystem
> > > > > Module. Just add the following in your controller:
> > > > > before_filter :login_required
>
> > > > > You can also give the filter more options in case you
want the login
> > only
> > > > > for a couple of specific actions, or for all actions
but one...
>
> > > > > On Mon, Apr 13, 2009 at 6:23 PM, elliottg
<x...-+PdThUrr9bOXUBVsB0ZYTw@public.gmane.org>
> > wrote:
>
> > > > > > I am using restful_authentication in combination
with
> > role_requirment.
>
> > > > > > At the beginning of the controllers that I want to
have login
> > control
> > > > > > over, I include
>
> > > > > > require_role "user"
> > > > > > require_role "admin"
>
> > > > > > For instance. If I login as either of the two
roles then call a
> > > > > > controller it works fine. However if I do not
login at all and
> > simply
> > > > > > call a controller, it let''s me right in.
It doesn''t restrict access
> > > > > > whatsoever. No redirect to a login page or
nothing.
>
> > > > > > How do I restrict access if no user is logged in
at all?
>
> > > > > > Thanks
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hello Elliott,
Are you sure that:

1.  You have these roles defined in the roles table?  and;
2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table
defines the "admin" role with a role_id = 1 then you must have a row
in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this.
Bharat
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I had broken r_a#before_filter :login_required by tweaking the source
to make some tests pass. That change had also altered the way the
r_r#require_role was working.

I changed the code back, and now require_role "user"  &
require_role
"admin" do as they should without having to use
before_filter :login_required as well.

Thanks for the help guys!


On Apr 14, 7:49 am, Bharat
<bcrupa...-/E1597aS9LQAvxtiuMwx3w@public.gmane.org>
wrote:
> Hello Elliott,
> Are you sure that:
>
> 1.  You have these roles defined in the roles table?  and;
> 2. There is an entry for row_id and user_id in your roles_users table?
>
> For example,
>
> If admin user has a user_id of 1 in users table and your roles table
> defines the "admin" role with a role_id = 1 then you must have a
row
> in roles_users table corresponding to this combination:
>
> role_id = 1, user_id = 1
>
> Check if you have done this.
> Bharat
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Bharat Ruparel wrote:
> Hello Elliott,
> Are you sure that:
> 
> 1.  You have these roles defined in the roles table?  and;
> 2. There is an entry for row_id and user_id in your roles_users table?
> 
> For example,
> 
> If admin user has a user_id of 1 in users table and your roles table
> defines the "admin" role with a role_id = 1 then you must have a
row
> in roles_users table corresponding to this combination:
> 
> role_id = 1, user_id = 1
> 
> Check if you have done this.
> Bharat
Sorry for resurrecting an old thread, but this situation describes 
exactly the situation I have set up.  Yet I can''t get the user to 
authenticate as an administrator.

I have a single user who I have granted admin rights, in the
admins_users table:

| admin_id | user_id |
+----------+---------+
|        1 |       1 |

Where in the user table the user has ID = 1.  The user is also in the
admins table:

| id | name |
+----+------+
|  1 | test |

However, I am seeing this query deny the user access:

 User Columns (1.3ms)   SHOW FIELDS FROM `users`
  User Load (0.5ms)   SELECT * FROM `users` WHERE (`users`.`id` = 1) 
LIMIT 1
  admins_users Columns (0.8ms)   SHOW FIELDS FROM `admins_users`
  Admin Load (1.2ms)   SELECT * FROM `admins` INNER JOIN
`admins_users` ON `admins`.id = `admins_users`.admin_id WHERE
(`admins_users`.user_id = 1 )
  Admin Columns (0.8ms)   SHOW FIELDS FROM `admins`
Filter chain halted as [:check_roles] rendered_or_redirected.

I always end up with the following text:

''You don''t have access here.''

It seems like something is going wrong here:

def check_roles
      return access_denied unless self.class.<%= users_name
%>_authorized_for?(current_<%= users_name %>, params, binding)

      true
    end

However, I can''t seem to discover why the user is denied access.
-- 
Posted via http://www.ruby-forum.com/.

> However, I can''t seem to discover why the user is denied access.
Within the user model there is a method called has_role? which compares 
all names in the admin table versus "admin".  If it matches then the 
user is granted admin access.  I modified has_role? by passing the 
user''s id in as well (lib/role_requirement_system.rb line 100).  It now
compares the user''s id vs the ids in the admin table.  A match grants 
admin access.
-- 
Posted via http://www.ruby-forum.com/.