I manage the authorization of users in my app with the pundit gem. Everything works fine for the user. Now I created a second devise model: Employers. I want to show a specific page to both logged in user as well as logged in employers. How do I do that?
Here is my policy for the model:
class CurriculumPolicy < ApplicationPolicy
class Scope < Scope
def resolve
scope.all
end
end
def create?
return true
end
def show?
record.user == user || user.admin
end
def update?
record.user == user || user.admin
end
def destroy?
record.user == user || user.admin
end
end
And here is my controller for the index page which I want to make accessible:
class CurriculumsController < ApplicationController
skip_before_action :authenticate_user!, only: [:new, :create, :index]
before_action :set_curriculum, only: [:show, :edit, :update, :destroy]
def index
# #curriculums = policy_scope(Curriculum).order(created_at: :desc)
if params[:query]
#curriculums = policy_scope(Curriculum).joins(:user)
.where('users.job_category ILIKE ?', "%#{params[:query]}%")
.where(
'job_category ILIKE :query', query: "%#{params[:query]}%"
)
else
#curriculums = policy_scope(Curriculum).order(created_at: :desc)
end
end
private
def set_curriculum
#curriculum = Curriculum.find(params[:id])
end
def curriculum_params
params.require(:curriculum).permit(:doc)
end
end
You can have workaround here like below for each actions
def show?
true if #user.class.table_name == "employees"
end
Related
I am using Rails 7, Devise and Pundit.
I've got Users and Projects.
Only Users classified as "admin" or "moderator" can perform actions (New,
Edit, Update, Destroy, ...).
Unlogged Users and Users classified as "user" can see Index and Show pages.
When I'm on a show page ('http://localhost:3000/projects/[id]') as an unlogged User and try to edit it (via 'http://localhost:3000/projects/[id]/edit') it sends me to a Devise login page which is normal. Once logged in correctly with an unauthorized profile (User classified as "user") Pundit authorization kicks in and rescues the request.
=> The problem is here :
First Firefox tells me that the page isn't redirected properly ... Probably because I'm sent back to 'http://localhost:3000/users/sign_in' while being signed in.
When I reload my page it tells me via an alert "You are already signed in." on my root_path page.
Application_controller :
class ApplicationController < ActionController::Base
before_action :store_user_location!, if: :storable_location?
before_action :authenticate_user!, except: [:index, :show]
before_action :configure_permitted_parameters, if: :devise_controller?
include Pundit
protect_from_forgery with: :exception
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
after_action :verify_authorized, except: :index, unless: :skip_pundit?
after_action :verify_policy_scoped, only: :index, unless: :skip_pundit?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:username])
devise_parameter_sanitizer.permit(:sign_in, keys: [:username])
devise_parameter_sanitizer.permit(:account_update, keys: [:username])
end
private
def skip_pundit?
devise_controller? || params[:controller] =~ /(^(rails_)?admin)|(^pages$)/
end
def user_not_authorized
flash[:alert] = "You are not authorized to perform this action."
redirect_back(fallback_location: root_path)
end
def storable_location?
request.get? && is_navigational_format? && !devise_controller? && !request.xhr?
end
def store_user_location!
# :user is the scope we are authenticating
store_location_for(:user, request.fullpath)
end
def after_sign_in_path_for(resource_or_scope)
stored_location_for(resource_or_scope) || super
end
end
Project_policy :
class ProjectPolicy < ApplicationPolicy
class Scope < Scope
# NOTE: Be explicit about which records you allow access to!
# def resolve
# scope.all
# end
def resolve
scope.all
end
private
attr_reader :user, :scope
end
def index?
true
end
def show?
true
end
def create?
user.admin? || user.moderator?
end
def edit?
user.admin? || user.moderator?
end
def update?
user.admin? || user.moderator?
end
def destroy?
user.admin? || user.moderator?
end
end
I don't think more is needed but if some code samples are missing don't hesitate to tell me ! I'd like to find a way to handle this properly. Thanks !
I know it is in the Pundit documentation but have you tried without the protect_from_forgery line? I can tell you from first hand experience Pundit works without it...
EDIT: Try to move the protect_from_forgery before the before_action :authenticate_user!
I found a solution but it's probably not a clean one and I don't know if it is safe or if it's durable.
I removed from my application_controller the following :
the method : storable_location?
the method : store_user_location!
before_action :store_user_location!, if: :storable_location?
This is what I added/modified under "private".
# Redirect after login via Devise
def after_sign_in_path_for(resource)
session["user_return_to"] || root_path
end
# Redirect if unauthorized by Pundit
def user_not_authorized
session["user_return_to"] = redirection_reroll
flash[:alert] = "You are not authorized to perform this action."
redirect_to(session["user_return_to"] || root_path)
end
# Reroll redirection path when unauthorized
def redirection_reroll
checker = ["new", "edit"]
path = session["user_return_to"].split("/")
if checker.include? path[-1]
path.pop()
end
session["user_return_to"] = path.join("/")
end
i try to add the image field on reply form in my new app type forum.
the app containt the principal sujet and all users connected can reply on section replie.
now , i try to add the image field more older text field.
i use carrierwave to implement the feature.
but i receives this error message in terminal:
NoMethodError - undefined method `reimage_will_change!' for #
<Reply:0x000055cb9f2abc30>
Did you mean? Reimage_will_change!:
app/controllers/replies_controller.rb:8:in `create'
why subjection rails: reimage_will_change:
my i used "reimage" that variable field.
see complet message termianl:
Started POST "/discussions/pourquoi-intel-a-t-il-du-mal-a-suivre-la-loi-de-moore-la-loi-de-moore-est-elle-morte/replies" for ::1 at 2019-07-04 10:12:20 +0000
(1.5ms) SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
↳ /home/chatln/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/activerecord-5.2.3/lib/active_record/log_subscriber.rb:98
Processing by RepliesController#create as JS
Parameters: {"utf8"=>"✓", "reply"=>{"reply"=>"Amazon CEO Jeff Bezos gave this advice to those ", "reimage"=>#<ActionDispatch::Http::UploadedFile:0x000055d560cc1150 #tempfile=#<Tempfile:/tmp/RackMultipart20190704-14120-1uwpx6n.png>, #original_filename="Capture d’écran de 2019-06-10 11-08-07.png", #content_type="image/png", #headers="Content-Disposition: form-data; name=\"reply[reimage]\"; filename=\"Capture d\xE2\x80\x99\xC3\xA9cran de 2019-06-10 11-08-07.png\"\r\nContent-Type: image/png\r\n">}, "commit"=>"Envoyer", "discussion_id"=>"pourquoi-intel-a-t-il-du-mal-a-suivre-la-loi-de-moore-la-loi-de-moore-est-elle-morte"}
User Load (1.3ms) SELECT "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2 [["id", 1], ["LIMIT", 1]]
↳ /home/chatln/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/activerecord-5.2.3/lib/active_record/log_subscriber.rb:98
Discussion Load (0.8ms) SELECT "discussions".* FROM "discussions" WHERE "discussions"."slug" = $1 LIMIT $2 [["slug", "pourquoi-intel-a-t-il-du-mal-a-suivre-la-loi-de-moore-la-loi-de-moore-est-elle-morte"], ["LIMIT", 1]]
####
↳ app/controllers/replies_controller.rb:55
Completed 500 Internal Server Error in 225ms (ActiveRecord: 24.9ms)
####
NoMethodError - undefined method `reimage_will_change!' for #<Reply:0x00007ffb6c716fa0>
Did you mean? Reimage_will_change!:
app/controllers/replies_controller.rb:8:in `create'
I think the error comes from line 55 of the replies controller at the level of set_discussion.
def set_discussion
#discussion = Discussion.friendly.find(params[:discussion_id])
end
and replies_controller complet
class RepliesController < ApplicationController
before_action :authenticate_user!
before_action :set_reply, only: [:edit, :update, :show, :destroy]
before_action :set_discussion, only: [:create, :edit, :show, :update, :destroy]
#before_action :find_discussions, only: [:create, :edit, :show, :update, :destroy]
def create
#reply = #discussion.replies.create(params[:reply].permit(:reply, :reimage, :discussion_id))
#reply.user_id = current_user.id
respond_to do |format|
if #reply.save
format.html { redirect_to discussion_path(#discussion) }
format.js # renders create.js.erb
else
format.html { redirect_to discussion_path(#discussion), notice: "Reponse non enregistrée, ressayer encore."}
format.js
end
end
end
def new
end
def destroy
#reply = #discussion.replies.find(params[:id])
#reply.destroy
redirect_to discussion_path(#discussion)
end
def edit
#discussion = Discussion.find(params[:discussion_id])
#reply = #discussion.replies.find(params[:id])
end
def update
#reply = #discussion.replies.find(params[:id])
respond_to do |format|
if #reply.update(reply_params)
format.html { redirect_to discussion_path(#discussion), notice: 'Reponse mise a jour...' }
else
format.html { render :edit }
format.json { render json: #reply.errors, status: :unprocessable_entity }
end
end
end
def show
end
private
def set_discussion
#discussion = Discussion.friendly.find(params[:discussion_id])
end
def set_reply
#reply = Reply.find(params[:id])
end
def reply_params
params.require(:reply).permit(:reply, :reimage, :discussion_id)
end
end
and model replies
class Reply < ApplicationRecord
mount_uploader :reimage, ReimageUploader
belongs_to :discussion
belongs_to :user
validates :reply, presence: true
extend FriendlyId
friendly_id :reply, use: [:slugged, :finders]
def should_generate_new_friendly_id?
reply_changed?
end
end
undefined method `x_will_change!' for # occures if you forget to add a column in your model's db table. If you have a model Reply and a ReimageUploader, with the uploader mounted as in the Carrierwave docs:
class Reply < ActiveRecord::Base
mount_uploader :reimage, ReimageUploader
end
Then the error will read
undefined method `reimage_will_change!' for #
To fix it add a column in a migration run the following in the console:
rails g migration AddReimageToUsers reimage:string
This will generate the following migration:
class AddReimageToUsers < ActiveRecord::Migration
def change
add_column :replies, :reimage, :string
end
end
Migrate it to apply the change (write down the below command in the console):
rake db:migrate
I'm working on a Rails 5 app using the omniauth-bnet gem, not devise, have a Single Sign On through that gem, and have a few User types, using Single Table Inheritance. For whatever reason, the admin type can login fine, but the average User cannot create a session. Here's some of the relevant code.
items_controller.rb:
before_action :check_authorization, except: [:show]
before_action :check_for_email, except: [:show]
...
private
def check_authorization
unless current_user
redirect_to root_path
end
end
def check_for_email
unless current_user.email
redirect_to signup_add_email_url
end
end
sessions_controller.rb:
class SessionsController < ApplicationController
def create
begin
#user = User.from_omniauth(request.env['omniauth.auth'])
session[:user_id] = #user.id
flash[:success] = "Well met, #{#user.name}!"
rescue
flash[:warning] = "There was an error while trying to create your
account..."
end
redirect_to items_path
end
...
admin_user.rb:
class AdminUser < User
end
normal_user.rb:
class NormalUser < User
end
user.rb:
class User < ApplicationRecord
...
class << self
def from_omniauth(auth_hash)
user = find_or_create_by(name: auth_hash['info']['battletag'], uid:
auth_hash['uid'], provider: auth_hash['provider'])
user.name = auth_hash['info']['battletag']
user.uid = auth_hash['uid']
user.token = auth_hash['credentials']['token']
user.save!
user
end
end
routes.rb:
...
# Auth
get '/auth/:provider/callback', to: 'sessions#create'
...
The logs show that my NormalUser type session never gets created. Yet the AdminUser type doesn't have any problem logging in...
Any ideas? I've tried everything I can google or think of.
While I'm reading Rails 4 in Action, I'm trying to implement my own application, so it doesn't look same as in the book.
The book's corresponding commit is Section 7.2.3: Only admins can create or delete projects
In my case, admins can only delete the item (item corresponds to the project in the book.).
My repo https://github.com/tenzan/shop and deployed http://ichiba-demo.herokuapp.com/
The rule I want to apply is:
A regular user (you can login with staff#example.com/password) can do everything except destroy action.
Admin (admin#example.com/password) only can destroy.
To realise that I have:
In admin/items_controller.rb:
class Admin::ItemsController < Admin::ApplicationController
def destroy
#item = Item.find(params[:id])
#item.destroy
flash[:notice] = 'Item has been deleted.'
redirect_to items_path
end
private
def item_params
params.require(:item).permit(:name, :quantity)
end
end
In controllers/items_controller.rb:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update]
def index
#items = Item.all
end
def new
#item = Item.new
end
def create
#item = Item.new(item_params)
if #item.save
flash[:notice] = 'Item has been created.'
redirect_to #item
else
flash.now[:alert] = 'Item has not been created.'
render 'new'
end
end
def show
end
def edit
end
def update
if #item.update(item_params)
flash[:notice] = 'Item has been updated.'
redirect_to #item
else
flash.now[:alert] = 'Item has not been updated.'
render 'edit'
end
end
private
def set_item
#item = Item.find(params[:id])
rescue ActiveRecord::RecordNotFound
flash[:alert] = 'The item could not be found.'
redirect_to items_path
end
def item_params
params.require(:item).permit(:name, :quantity)
end
end
In routes.rb:
Rails.application.routes.draw do
namespace :admin do
root 'application#index'
resources :items, only: :destroy
end
devise_for :users
root 'items#index'
resources :items, only: [:index, :show, :edit, :update, :new, :create] do
resources :comments
end
end
Questions:
Do I have to specify actions in the routes.rb, as I already have specified who can use what actions in their corresponding controllers? I didn't notice any change when I remove them from the routes.rb...
Am I violating DRY concept, when I specify actions in 2 places, i.e. in the routes.rb and controllers/items_controllers.rb ?
I'll be happy if you point out other places to improve to meet best practice.
PS: The subject maybe vague, please feel free to edit it.
Do I have to specify actions in the routes.rb, as I already have
specified who can use what actions in their corresponding controllers?
Yes. For instance, if you'd have only one action in items_controller.rb controller (let say show), and left
resources :items do # no specified actions
#...
end
in routes.rb it would generate all routes for items controller (for new, create, edit, destroy, update etc). But specifying actions in routes.rb you limit generated routes to only needed.
Am I violating DRY concept, when I specify actions in 2 places, i.e.
in the routes.rb and controllers/items_controllers.rb ?
No. Because you actually specify actions in controller, in routes.rb you only specify routes.
I'll be happy if you point out other places to improve to meet best
practice.
This line:
resources :items, only: [:index, :show, :edit, :update, :new, :create] # better to use %i() notation, eg only: %i(index show edit update new create)
could be written as:
resources :items, except: :destroy
Regarding your admin user - to allow only him to destroy, just check if current_user is admin. If you'll have more, than one action which is allowed to be performed by only admin, you can create before_action in controller:
before_action :check_admin?, only: %i(destroy another_action)
private
def check_admin?
# your logic to check, if user is admin
end
You can also be interested in going through Ruby style guide.
Even though you're not violating DRY directly, you're muddying up the REST architecture by moving a single entity's actions to different controllers. You don't need a specific controller or namespace for admins - you just need to assert that the user is an administrator before proceeding with the delete action.
Since you have already added the admin column to your devise model, you can move the delete action to ItemsController
def destroy
if current_user.try(:admin?)
#item = Item.find(params[:id])
#item.destroy
flash[:notice] = 'Item has been deleted.'
else
flash[:alert] = 'Only admins can delete items.'
end
redirect_to items_path
end
Your routes would be cleaner since your admin namespace would be used only for user moderation. The only route for items would be:
resources :items do
resources :comments
end
Hi i have a controller in rails where i call all my players in database.
#candidates = Player.order("created_at DESC")
What i need is to show just the ones that have "active=1" un the database.. how can i add the where clause on this..
Tried this.. THE PROBLEM is that active is a table call "users" and im fetching "players" table..
#candidates = Player.where("active = ?", "1").order("created_at DESC")
Im lost :(
This is part of the player model
class Player < ActiveRecord::Base
belongs_to :user
Candidate model
class Candidate < ActiveRecord::Base
attr_accessible :country_id
end
Candidates controller
class CandidatesController < SecureController
skip_authorize_resource :only => [:index, :show]
# GET /players
# GET /players.json
def index
#candidates = Player.order("created_at DESC")
position = params[:position]
minyear = params[:minyear]
maxyear = params[:maxyear]
citizen = params[:nation]
#candidates = Player.scoped # for Rails 3
if params[:position].present?
#candidates = #candidates.where(position: position)
end
if params[:minyear].present?
#candidates = #candidates.where("birthday >= ?", minyear)
end
if params[:maxyear].present?
#candidates = #candidates.where("birthday <= ?", maxyear)
end
if params[:minyear].present? && params[:maxyear].present?
#candidates = #candidates.where("birthday >= ? AND birthday <= ?", minyear, maxyear)
end
respond_to do |format|
format.html # index.html.erb
format.json { render json: #candidates }
end
authorize! :show, :candidates
end
You need to join the users table:
Player.joins(:user).where("users.active = ?", "1").order("players.created_at DESC")
Also a better way to write the condition is:
Player.joins(:user).where(users: { active: true }).order("players.created_at DESC")