I''m want to restrict access to an object show action to the owner
in my action I have this
def show
@thing = Thing.find(params[:id])
if current_user && @thing.owner == current_user
respond_to do |format|
format.json { render :json => @thing }
end
else
render :status => :forbidden, :text => "API requires
authentication for the minute."
end
end
Which works in the browser, however when running functional tests even
though @thing.owner is the same user as current_user it is not the
same object so the comparison fails as I see it I have a few options
but wanted to try and gauge what people feel is the best way
1) adjust the test setup so the logged in user is the same object and
the comparison returns true (I have no idea how I would go about doing
this)
2) just do current_user.id == @thing.owner.id, this seems like the
most obvious and easiest but somehow less elegant
3) write my own comparison method on my user class, either:
def is_equal_to user(user)
return user.id == self.id
end
or:
def is_current_user
return current_user.id == self.id
end
4) something else I haven''t thought about
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
Frederick Cheung
2011-Feb-12 09:21 UTC
Re: is equal operator to check current user is owner
On Feb 11, 10:40 pm, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I''m want to restrict access to an object show action to the owner > > in my action I have this > > def show > @thing = Thing.find(params[:id]) > if current_user && @thing.owner == current_user > respond_to do |format| > format.json { render :json => @thing } > end > else > render :status => :forbidden, :text => "API requires > authentication for the minute." > end > end > > Which works in the browser, however when running functional tests even > though @thing.owner is the same user as current_user it is not the > same object so the comparison fails as I see it I have a few options > but wanted to try and gauge what people feel is the best way > > 1) adjust the test setup so the logged in user is the same object and > the comparison returns true (I have no idea how I would go about doing > this) > > 2) just do current_user.id == @thing.owner.id, this seems like the > most obvious and easiest but somehow less elegantThat is what == on two active record objects do (plus a little bit of subtlety around new, unsaved objects). How are you setting up the test? Fred> > 3) write my own comparison method on my user class, either: > > def is_equal_to user(user) > return user.id == self.id > end > > or: > > def is_current_user > return current_user.id == self.id > end > > 4) something else I haven''t thought about-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 11 February 2011 22:40, msaspence <msaspence-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I''m want to restrict access to an object show action to the owner > > in my action I have this > > def show > @thing = Thing.find(params[:id]) > if current_user && @thing.owner == current_userNot related to your problem, but just pointing out that you might be better to use a :conditions option in the find so that it only finds the current users things in the first place. Then put this in a named scope in the Thing model and the above reduces to something like @thing = Thing.current_users_things.find(params[:id]) Colin> respond_to do |format| > format.json { render :json => @thing } > end > else > render :status => :forbidden, :text => "API requires > authentication for the minute." > end > end > > Which works in the browser, however when running functional tests even > though @thing.owner is the same user as current_user it is not the > same object so the comparison fails as I see it I have a few options > but wanted to try and gauge what people feel is the best way > > 1) adjust the test setup so the logged in user is the same object and > the comparison returns true (I have no idea how I would go about doing > this) > > 2) just do current_user.id == @thing.owner.id, this seems like the > most obvious and easiest but somehow less elegant > > 3) write my own comparison method on my user class, either: > > def is_equal_to user(user) > return user.id == self.id > end > > or: > > def is_current_user > return current_user.id == self.id > end > > 4) something else I haven''t thought about > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Feb 12, 9:53 am, Colin Law <clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:> On 11 February 2011 22:40, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > I''m want to restrict access to an object show action to the owner > > > in my action I have this > > > def show > > @thing = Thing.find(params[:id]) > > if current_user && @thing.owner == current_user > > Not related to your problem, but just pointing out that you might be > better to use a :conditions option in the find so that it only finds > the current users things in the first place. Then put this in a named > scope in the Thing model and the above reduces to something like > @thing = Thing.current_users_things.find(params[:id]) > > ColinBut if it doesnt find anything i wont know weither to return a 404 or a 403> > > > > > > > > respond_to do |format| > > format.json { render :json => @thing } > > end > > else > > render :status => :forbidden, :text => "API requires > > authentication for the minute." > > end > > end > > > Which works in the browser, however when running functional tests even > > though @thing.owner is the same user as current_user it is not the > > same object so the comparison fails as I see it I have a few options > > but wanted to try and gauge what people feel is the best way > > > 1) adjust the test setup so the logged in user is the same object and > > the comparison returns true (I have no idea how I would go about doing > > this) > > > 2) just do current_user.id == @thing.owner.id, this seems like the > > most obvious and easiest but somehow less elegant > > > 3) write my own comparison method on my user class, either: > > > def is_equal_to user(user) > > return user.id == self.id > > end > > > or: > > > def is_current_user > > return current_user.id == self.id > > end > > > 4) something else I haven''t thought about > > > -- > > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > > For more options, visit this group athttp://groups.google.com/group/rubyonrails-talk?hl=en.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Feb 12, 9:21 am, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Feb 11, 10:40 pm, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > > > > > > > I''m want to restrict access to an object show action to the owner > > > in my action I have this > > > def show > > @thing = Thing.find(params[:id]) > > if current_user && @thing.owner == current_user > > respond_to do |format| > > format.json { render :json => @thing } > > end > > else > > render :status => :forbidden, :text => "API requires > > authentication for the minute." > > end > > end > > > Which works in the browser, however when running functional tests even > > though @thing.owner is the same user as current_user it is not the > > same object so the comparison fails as I see it I have a few options > > but wanted to try and gauge what people feel is the best way > > > 1) adjust the test setup so the logged in user is the same object and > > the comparison returns true (I have no idea how I would go about doing > > this) > > > 2) just do current_user.id == @thing.owner.id, this seems like the > > most obvious and easiest but somehow less elegant > > That is what == on two active record objects do (plus a little bit of > subtlety around new, unsaved objects). > How are you setting up the test? > > FredI''m using the Authlogic so have followed the instructions here http://rdoc.info/github/binarylogic/authlogic/master/Authlogic/TestCase Matt> > > > > > > > > > > 3) write my own comparison method on my user class, either: > > > def is_equal_to user(user) > > return user.id == self.id > > end > > > or: > > > def is_current_user > > return current_user.id == self.id > > end > > > 4) something else I haven''t thought about-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 12 February 2011 10:00, msaspence <msaspence-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Feb 12, 9:53 am, Colin Law <clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote: >> On 11 February 2011 22:40, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> >> > I''m want to restrict access to an object show action to the owner >> >> > in my action I have this >> >> > def show >> > @thing = Thing.find(params[:id]) >> > if current_user && @thing.owner == current_user >> >> Not related to your problem, but just pointing out that you might be >> better to use a :conditions option in the find so that it only finds >> the current users things in the first place. Then put this in a named >> scope in the Thing model and the above reduces to something like >> @thing = Thing.current_users_things.find(params[:id]) >> >> Colin > > > But if it doesnt find anything i wont know weither to return a 404 or > a 403Your current code does not allow that distinction either. Since I see you are using authlogic do you not have a before filter require_user or similar so that you can trap no user condition before it even gets to the show action? Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Feb 12, 10:11 am, Colin Law <clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:> On 12 February 2011 10:00, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > > > > > > > On Feb 12, 9:53 am, Colin Law <clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote: > >> On 11 February 2011 22:40, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > >> > I''m want to restrict access to an object show action to the owner > > >> > in my action I have this > > >> > def show > >> > @thing = Thing.find(params[:id]) > >> > if current_user && @thing.owner == current_user > > >> Not related to your problem, but just pointing out that you might be > >> better to use a :conditions option in the find so that it only finds > >> the current users things in the first place. Then put this in a named > >> scope in the Thing model and the above reduces to something like > >> @thing = Thing.current_users_things.find(params[:id]) > > >> Colin > > > But if it doesnt find anything i wont know weither to return a 404 or > > a 403 > > Your current code does not allow that distinction either. > > Since I see you are using authlogic do you not have a before filter > require_user or similar so that you can trap no user condition before > it even gets to the show action? > > Colinnot yet but i can add it in easy enough (psudo code) def show @thing = Thing.find(params[:id]) if thing not found throw 404 if current_user && @thing.owner == current_user respond_to do |format| format.json { render :json => @thing } end else render :status => :forbidden, :text => "API requires authentication for the minute." end end require user does sound like a more elegant way to do if current_user but still doesnt solve current_user == @thing.owner -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Feb 12, 10:11 am, Colin Law <clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:> On 12 February 2011 10:00, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > On Feb 12, 9:53 am, Colin Law <clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote: > >> On 11 February 2011 22:40, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > >> > I''m want to restrict access to an object show action to the owner > > >> > in my action I have this > > >> > def show > >> > @thing = Thing.find(params[:id]) > >> > if current_user && @thing.owner == current_user > > >> Not related to your problem, but just pointing out that you might be > >> better to use a :conditions option in the find so that it only finds > >> the current users things in the first place. Then put this in a named > >> scope in the Thing model and the above reduces to something like > >> @thing = Thing.current_users_things.find(params[:id]) > > >> Colin > > > But if it doesnt find anything i wont know weither to return a 404 or > > a 403 > > Your current code does not allow that distinction either. > > Since I see you are using authlogic do you not have a before filter > require_user or similar so that you can trap no user condition before > it even gets to the show action? > > Colinno but i could add it in at some point (psudo code:) def show @thing = Thing.find(params[:id]) if not @thing throw 404 else if current_user && @thing.owner == current_user respond_to do |format| format.json { render :json => @thing } end else render :status => :forbidden, :text => "API requires authentication for the minute." end end require user sounds like a better way to do if current_user but does solve the current_user == @thing.owner part -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Frederick Cheung
2011-Feb-13 07:47 UTC
Re: is equal operator to check current user is owner
On Feb 12, 10:01 am, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > I''m using the Authlogic so have followed the instructions herehttp://rdoc.info/github/binarylogic/authlogic/master/Authlogic/TestCase >Have you tried sticking some breakpoints in your code to see how current_user and @thing.owner differ? Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Feb 13, 7:47 am, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Feb 12, 10:01 am, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > I''m using the Authlogic so have followed the instructions herehttp://rdoc.info/github/binarylogic/authlogic/master/Authlogic/TestCase > > Have you tried sticking some breakpoints in your code to see how > current_user and @thing.owner differ? >sorry I''m still getting into rails and haven''t got round to debugging yet but they have the same data but are different objects if I do puts user and puts user.id for each this is what i get #<User:0x00000102e73490> 1 #<User:0x00000104291698> 1 -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 13 February 2011 11:25, msaspence <msaspence-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > On Feb 13, 7:47 am, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > wrote: >> On Feb 12, 10:01 am, msaspence <msaspe...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> >> >> >> > I''m using the Authlogic so have followed the instructions herehttp://rdoc.info/github/binarylogic/authlogic/master/Authlogic/TestCase >> >> Have you tried sticking some breakpoints in your code to see how >> current_user and @thing.owner differ? >> > > sorry I''m still getting into rails and haven''t got round to debuggingHave a look at the Rails Guide on debugging. Use ruby-debug to allow you to break into your code and then you can inspect data and follow the program flow. Colin> yet > > but they have the same data but are different objects > if I do puts user and puts user.id for each this is what i get > > #<User:0x00000102e73490> > 1 > #<User:0x00000104291698> > 1 > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
I''m the biggest noob in the world the comparison was comparing them correctly I had a typo in my test assertion that was causing it to fail when it should have passed apologies for the trouble i will get on and look at ruby-debug though -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 13 February 2011 12:04, msaspence <msaspence-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I''m the biggest noob in the world > > the comparison was comparing them correctly > > I had a typo in my test assertion that was causing it to fail when it > should have passedYou don''t have to be a noob for that. Typos are often the most difficult errors to find. When inspecting the code one sees what one expects to see rather than what is actually there. Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.