Rails 7, Devise 4.8
I had a basic Devise working fine with just a User Model. I needed a Dashboard protected from Users, so I added an Admin model for devise. I then created the devise admin routes and views as per the User pattern. I created a dashboard controller and protect it with the
before_action :authenticate_admin!
OK. So now I have problems. First off, when experimenting, I allowed a sign-up to the Admin, and what I provided is now considered an Admin. OK. So I have current_admin true.
But when I navigate to /dashboard to see that controller, it throws a 401 and redirects to /users/sign_in. Which in turn triggers the check via a concern for Admin or User, and since I am Admin, back to the dashboard... etc. etc.
So, if current_admin says I am good, why is the before action taking me to /users/sign_in and not just rendering my dashboard?
I tried everything but this 2 model approach seems busted without me doing something about that Accessible concern they recommend.
So this was due to naive use of Rails. Turns out my Application Controller of which all controllers usually inherit, has a before action assigned to asking for at least a User. Once I turned that off, the loop was cut.
Related
I have been working with CodeIgniter for couple of days and I love it. For a beginner it`s a great framework for creating web applications.
I`m using Tank auth to set up login system and so far I have managed to get same thing done.
But there is one thing that I can not understand. I`ve been studying Tank auth code and googled but still can not ger around this very simple problem - how do I protect my websites content from unregistered users? What is the method used in CodeIgniter for that?
Lets say for example I have a controller Products with method show. By typing www.mywebsite.com/index.php/products/show I get to see them all in my website. Now how do I forbid unregistered users to access(see) my products?
I do understand that this most likely is silly question but I just can not move on without decent understanding about this. While it is fundamental google does not have the answer... (or I dont know how to ask precisely)
Assuming you have tank auth installed and configured correctly, you can simply redirect someone to the login screen if they aren't already logged in for any particular controller function.
if (!$this->tank_auth->is_logged_in()) redirect('auth/login');
If you use that at the start of any function it ensures only logged in users can load it, because any other user will be redirected away. Likewise, if you want to lock an entire controller off, just place that in the constructor.
The Welcome Controller that comes bundled with Tank Auth shows a good example of it, because only logged in users can see the "you are logged in now" page.
I am developing an web application which has several levels and modules. In application everything working fine.
If users are not working after logging they leave the application in login state and try to use it after 1 hour then session expires and system sate variables are lost. So in this case application not redirecting to login page (site/login) which is bad user experience.
I am not able to identify what the problem is. How can i fix this ?
A way of solving this would be to have your controllers not extend from CController directly.
You could have an intermediate controller say ModuleController that extends CController.
Then all your controllers extend that controller.
Override beforeAction() in ModuleController and check whether sessions are set and redirect to login if not.
So every time a user tries to access a page it will first check for whether the session is set. You could use ACL to fine tune this better.
This method could be applied to a variety of issues in Yii development.
Hope this helps!
I want to know how can I force a user to log in the the application again if the page is being opened in new tab or new browser.
Edit:-
My apologies I misunderstood the requirement.
I am authenticating the user in my log-in page but not anywhere else. So what is happening because of that, even if i log out of application and type url say bla.com/apple I can access my application.
I figured to prevent this from happening, I have to write a base controller that checks for the right user. Am I moving in the right direction.
Thanks
Addressing the edit -
Authentication can be handled per controller or on individual actions. Simple place the [Authorize] attribute appropriately. This assumes however that somewhere an authentication token is being set. [Authorize] checks against the HttpContext's current User (an IPrincipal).
You mentioned above that you're just validating against a local username and password, in one place, so I'm guessing that no token (session, cookie) are being set?
You have a few options here to get that token stored and persisted across requests:
ASP.Net integrated membership provider (Intro)
A custom MembershipProvider (Example)
Full-on custom flow. (Example)
Each has ups and downs and depends on how exactly you want to handle on-boarding your users. It's hard to answer more specifically because it can be a very large topic (and a very broad question).
Here's the official pages for MVC security.
I use two different applications in my CI installation. The first is called "admin"... obviously an admin panel. The second is "frontend" where everything else is. I use the same database for each of the apps and the same member tables, both for admin authentication and member auth. The problem is, since the CI session class doesn't use native PHP sessions, the session only works in the application that it is set in(which makes sense)... for example, if a user that is indeed an admin logs into the system through the frontend app and then clicks the link to the admin app, they are required to login again. If they have the "Remember Me" option selected across when they login to both apps, this obviously isn't a problem.
How would I fix this? Or do you guys think it's better to have them login to the admin app again, just to validate their admin status again?
Thanks for your time.
You could use the native php session instead. There's a class which you can just copy paste, and you'll not have to change any of the rest of your code.
I was wondering if anyone can shed some light on setting up basic user authentication. I've installed the admin app into my project and it works great. But I need a basic user role that can have it's own registration page etc.
I need to see something like
domain.com/users/user.slug
would take them to their profile page
I'm also going to have nested resources, so a user can have a project associated to them.
domain.com/users/user.slug/projects/project.slug
or
domain.com/users/user.slug/project.slug
The admin piece worked great, but I have no idea how to setup registration etc for a user model?
I've used devise in the past with Rails and I'm wondering if anything like it currently exists? I've seen some discussion around warden. Is there a defacto solution that people are using or am I able to implement the admin app to handle this? Right now /accounts is protected and can only be accessed by the admin role.. so I can't have users go to accounts/new
Thanks
For now I basically just copied the admin app.. into my own Users app while using my own User model.
The user model is basically a direct port of the account model.. as is the session controller etc. Just switched the model names around.
I'm still not sure if this is the best approach or if I'm able to leverage the admin app to handle this also?
This solution is working, though again, I'm not sure if it's the optimal approach.