so I've been using Michael Hartl's tutorial for some time and I can say it's really useful but there's a problem and I gues it's not on the tutorial's part. So in chapter "9.2.2 Requiring the right user" ther's a test for checking that a user can access neither other user's edit page nor submit a direct PUT reauest.
describe "as wrong user" do
let(:user) { FactoryGirl.create(:user) }
let(:wrong_user) { FactoryGirl.create(:user, email: "wrong#example.com") }
before { sign_in user }
describe "visiting Users#edit page" do
before { visit edit_user_path(wrong_user) }
it { should_not have_selector('title', text: full_title('Edit user')) }
end
describe "submitting a PUT request to the Users#update action" do
before { put user_path(wrong_user) }
specify { response.should redirect_to(root_path) }
end
end
So long all seems right but the test fails:
1) Authentication authorization as wrong user submitting a PUT request to the Users#update action ←[31mFailure/Error:←[0m ←[31mspecify { response.should redirect_to(root_path }←[0m←[31mExpected response to be a redirect to <http://www.example.com/> but was a redirect to <http://www.example.com/signin>←[0m←[36m # ./spec/requests/authentication_pages_spec.rb:107:in `block (5 levels) in <top (required)>'←[0m
Here's the User controller:
class UsersController < ApplicationController
before_filter :signed_in_user, only: [:index, :edit, :update]
before_filter :correct_user, only: [:edit, :update]
def index
#users = User.all
end
def show
#user = User.find(params[:id])
end
def new
#user = User.new
end
def create
#user = User.new(params[:user])
if #user.save
sign_in #user
flash[:success] = "Welcome to the Sample App!"
redirect_to #user
else
render 'new'
end
end
def edit
end
def update
if #user.update_attributes(params[:user])
flash[:success] = "Profile updated"
sign_in #user
redirect_to #user
else
render 'edit'
end
end
private
def signed_in_user
unless signed_in?
puts "No user signed in"
store_location
redirect_to signin_path, notice: "Please sign in."
end
end
def correct_user
#user = User.find(params[:id])
puts "Incorrect user" unless current_user?(#user)
redirect_to(root_path) unless current_user?(#user)
end
end
So as you can see the problem is that when using RSpec put method, the test fails even before checking for the right user because it sees ther's no user signed in.
This is a small problem which can easily be omitted (incorrect user cannot make direct PUT request anyway) but it's a puzzle for me why doesn't it work correct and I can't get the answer for quite a time already.
It looks like the signed_in_user filter is redirecting back to the sign in page before the correct_user fires. That suggests that the user is not actually signed in correctly by the sign_in user call in the before block.
Have you defined sign_in in spec/support/utilities.rb?
include ApplicationHelper
def sign_in(user)
visit signin_path
fill_in "Email", with: user.email
fill_in "Password", with: user.password
click_button "Sign in"
# Sign in when not using Capybara as well.
cookies[:remember_token] = user.remember_token
end
Related
I made a simple application that interacts with DB and perform CRUD operations in it after authenticating and authorizing a user. It used to work when there was a single table but as soon as I started playing with nested relations and authentication mechanism I get the error. So far I think I have done everything right. Here's the screenshot of the error:
Here's my routes.rb:
Rails.application.routes.draw do
root to: "todo_lists#index"
resources :todo_lists do
resources :todo_items
end
resources :sessions, only: [:new, :create, :destroy]
get "/login" => "sessions#new", as: "login"
delete "/logout" => "sessions#destroy", as: "logout"
end
My session controller:
class SessionsController < ApplicationController
def new
end
def create
#user = User.find_by(username: params[:username])
#password = params[:password]
end
if #user && #user.authenticate(password)
session[:user_id] = #user.id
redirect_to root_path, notice: "Logged in successfully"
else
redirect_to login_path, alert: "Invalid Username/Password combination"
end
def destroy
reset_session
redirect_to login_path, notice: "You have been logged out"
end
end
Oh and I modified the ApplicationController so the routes should work nonetheless:
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
before_action :ensure_login
helper_method :logged_in?, :current_user
protected
def ensure_login
redirect_to login_path unless session[:user_id]
end
def logged_in?
session[:user_id]
end
def current_user
#current_user ||= User.find(session[:user_id])
end
end
I think the code is not in create method, and root_path is not a class method, is an instance method:
class SessionsController < ApplicationController
def new
end
def create
#user = User.find_by(username: params[:username])
#password = params[:password]
end # <--- here create method finish. Where this end comes from?
if #user && #user.authenticate(password)
session[:user_id] = #user.id
# root_path is defined for an instance
# of a controller, not for the class
redirect_to root_path, notice: "Logged in successfully"
else
redirect_to login_path, alert: "Invalid Username/Password combination"
end
def destroy
reset_session
redirect_to login_path, notice: "You have been logged out"
end
end
Your logic for redirecting is outside of the method block:
if #user && #user.authenticate(password)
session[:user_id] = #user.id
redirect_to root_path, notice: "Logged in successfully"
else
redirect_to login_path, alert: "Invalid Username/Password combination"
end
That code should be before the final end of the create method
Have you tried using root_url instead of root_path in your SessionsController?
HTTP requires a fully qualified URL when doing a 302 redirect. The _url method provides an absolute path, including protocol and server name. The _path method provides a relative path, while assuming the same server and protocol as the current URL.
Try switching to root_url and let me know if anything changes!
Edit: The reason I suggest using an absolute path is because you mentioned the redirect was working fine with just one table, before you added another table and nested routes.
Edit: One other thing I noticed is the authentication block below is not placed within the sessions#create route, as you would expect.
if #user && #user.authenticate(password)
session[:user_id] = #user.id
redirect_to root_path, notice: "Logged in successfully"
else
redirect_to login_path, alert: "Invalid Username/Password combination"
end
Is there a reason it exists outside of a method? Try moving it back inside the create route.
I am working through Michael Hartl's Rails book and I am about halfway through chapter 10-working on account activation.
I had everything working with the mailers but then when I tried to add a new user, I got the following error message: "undefined method `activation_digest=' for #"
I have been trying to follow along in the book the best that I can. I have my users_controller.rb here:
class UsersController < ApplicationController
before_action :logged_in_user, only: [:index, :edit, :update]
before_action :correct_user, only: [:edit, :update]
def new
#user = User.new
end
def index
#users = User.paginate(page: params[:page], :per_page => 10)
end
def show
#user = User.find(params[:id])
end
def create
#user = User.new(user_params)
if #user.save
#user.send_activation_email
flash[:info] = "Please check your email to activate your account."
redirect_to root_url
else
render 'new'
end
end
def update
#user = User.find(params[:id])
if #user.update_attributes(user_params)
else
render 'edit'
end
end
def edit
#user = User.find(params[:id])
end
#confirms if a user is logged in
def logged_in_user
unless logged_in?
store_location
flash[:danger] = "Please Log In."
redirect_to login_url
end
end
private
def user_params
params.require(:user).permit(:name, :email, :password,
:password_confirmation)
end
end
Here is my Model/user.rb:
class User < ActiveRecord::Base
attr_accessor :remember_token, :activation_token
before_save :downcase_email
before_create :create_activation_digest
before_save { self.email = email.downcase }
validates :name, presence: true, length: { maximum: 50 }
VALID_EMAIL_REGEX = /\A[\w+\-.]+#[a-z\-.]+\.[a-z]+\z/i
validates :email, presence: true, length: { maximum: 255 },
format: { with: VALID_EMAIL_REGEX },
uniqueness: { case_sensitive: false }
has_secure_password
validates :password, length: { minimum: 6 }
# Returns the hash digest of the given string.
def User.digest(string)
cost = ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST :
BCrypt::Engine.cost
BCrypt::Password.create(string, cost: cost)
end
#Returns a random token
def User.new_token
SecureRandom.urlsafe_base64
end
#Remembers a user in the database for use in persistent sessions
def remember
self.remember_token = User.new_token
update_attribute(:remember_digest, User.digest(remember_token))
end
#Returns true if the given token matches the digest
def authenticated?(remember_token)
return false if remember_digest.nil?
BCrypt::Password.new(remember_digest).is_password?(remember_token)
end
#forgets a user
def forget
update_attribute(:remember_digest, nil)
end
private
# Converts email to all lower-case.
def downcase_email
self.email = email.downcase
end
# Creates and assigns the activation token and digest.
def create_activation_digest
self.activation_token = User.new_token
self.activation_digest = User.digest(activation_token)
end
end
The routes I have this:
root 'static_pages#home'
get 'sessions/new'
get 'users/new'
get 'help' => 'static_pages#help'
get 'about' => 'static_pages#about'
get 'contact' => 'static_pages#contact'
get 'signup' => 'users#new'
get 'login' => 'sessions#new'
post 'login' => 'sessions#create'
delete 'logout' => 'sessions#destroy'
resources :users
resources :account_activations, only: [:edit]
Please let me know if anything more is needed to be seen. I do have my App up on Github under the name sample_app, my username is ravenusmc.
Looking at your project on Github, your User model doesn't have an activation_token or activation_digest column, nor does the model define them as attributes.
Your User model is trying to write to these columns in the User#create_activation_digest function which is most likely causing the issue.
You'll need to write a migration to add those columns to your User model or add them is attributes (ie attr_accessor) if they are not meant to be persisted.
I am new to rails and working on a rails application.
I have installed the Devise gem and find it helpful in many areas, however I cannot create a new user unless I do it on the Rails Console. I find this especially frustrating. Does anyone have any suggestions or solutions?
When I sign up as an employee I get the following error "CanCan::AccessDenied in JobsController#index"
Also please note that when I verified my user model in devise and I have already included "include Devise::Models::DatabaseAuthenticatable"
My jobs_controller.rb file
def index
#users = User.all
#user = current_user
#jobs = Job.all
#jobs = Job.paginate(:page => params[:page], :per_page => 3)
end
# GET /jobs/1
# GET /jobs/1.json
def show
end
# GET /jobs/new
def new
#job = Job.new(:date => Time.now, :date_of_loss => Time.now, :sign_date => Time.now, :time_called_in => Time.now)
end
# GET /jobs/1/edit
def edit
end
# POST /jobs
# POST /jobs.json
def create
#job = Job.new(job_params)
respond_to do |format|
if #job.save
format.html { redirect_to #job, notice: 'Job was successfully created.' }
format.json { render action: 'show', status: :created, location: #job }
else
format.html { render action: 'new' }
format.json { render json: #job.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /jobs/1
# PATCH/PUT /jobs/1.json
def update
respond_to do |format|
if #job.update(job_params)
format.html { redirect_to #job, notice: 'Job was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: 'edit' }
format.json { render json: #job.errors, status: :unprocessable_entity }
end
end
end
# DELETE /jobs/1
# DELETE /jobs/1.json
def destroy
#job.destroy
respond_to do |format|
format.html { redirect_to jobs_url }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_job
#job = Job.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def job_params
params.require(:job).permit(:date, :time_called_in, :date_of_loss, :contact, :job_address, :city, :postal_code, :site_phone, :work_phone, :cell_phone, :email, :referred_by, :insurance_company, :policy_number, :claim_number, :broker, :insurance_address, :insurance_city, :insurance_province, :insurance_postal_code, :insurance_phone, :insurance_contact, :insurance_email, :customer_name, :customer_address, :authorized, :signed_by_name, :sign_date, :signature, :contact_first_name, :contact_last_name)
end
end
My ability model looks like this
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.role == "admin"
can :manage, :all
elsif user.role == "manager"
can [:read, :update, :create], [Job, Equipment]
#can [:read, :update, :create], [Equipment]
elsif user.role == "employee"
can [:read, :update, :create], [Equipment, Job]
cannot [:create], [Job]
#can [:read, :update], [Equipment]
end
end
If you are getting this error: CanCan::AccessDenied in JobsController#index it's because your user is not authorized to access the JobsController#index method and has nothing to do with creating users.
Can you explain what you mean when you say you "Sign up as an employee"? Do you have a roles table or a boolean on the users table to indicate that a user is an employee?
Please post your Ability.rb class (possibly in app/models/ability.rb) as that's where the access controls for cancan are defined.
Try changing this:
user ||= User.new # guest user (not logged in)
to this:
user ||= User.new # guest user (not logged in)
puts "user.role = #{user.role}"
and then check your logs to see what the value of user.role is. I'm wondering if your user does not have the role that you think it does.
I'd like to have additional attributes for my User model and don't want to create a separate Profile model.
I'm trying to update custom fields with standart «update» from RESTful set of actions:
class UsersController < ApplicationController
before_filter :authenticate_user!
# ...
def update
#user = User.find(params[:id])
authorize! :update, #user
respond_to do |format|
if #user.update_attributes(params[:user])
format.html { redirect_to #user, notice: 'User was successfully updated.' }
format.json { head :ok }
else
format.html { render action: "edit" }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
end
And it all goes fine except the fact that the current_user is able to update any user's profile. It seems I can't restrict any User action. I've tried:
can :update, User, :id => user.id
and
cannot :update, User # at all
with no luck. Using Devise 1.5.0 and CanCan 2.0.0.alpha
Here's my ability.rb
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new(:role => nil) # guest user (not logged in)
can :access, :all
if user.admin?
can :manage, :all
else
can :read, Review
if user.customer?
can :update, User, :id => user.id
can [:create, :update, :destroy], Review, :user_id => user.id
end
end
end
end
Code looks good to me.
What if you try to simplify the second condition first and take out the customer condition? And maybe take out "can :access, :all
Something like:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new(:role => nil) # guest user (not logged in)
if user.admin?
can :access, :all
else
can :read, :all
can :update, :users, :id => user.id
can [:create, :update, :destroy], :reviews, :user_id => user.id
end
end
end
Does your restriction work for Reviews (that user can only edit his own reviews) ?
I have a similar ability file but I always work with a seperate profile model..
I am using Devise 1.4.2, RSpec 2.6.0 and Rails 3.1.0.rc6. My routes.rb looks like this:
scope "(:locale)", :locale => /e(s|n)/ do
resources :demotivideos, :only => [:index, :show]
devise_for :users
namespace "admin" do
resources :demotivideos, :except => [:index, :show]
end
end
I am spec'ing that, when a not logged in user acces new, create or update, he should be redirected to new_user_session_path. For this, I am using the following code
context "when not logged in" do
before(:each) do
sign_out user
end
describe "GET new" do
it "should redirect to new user session" do
get :new
response.should redirect_to(new_user_session_path)
end
end
describe "POST create" do
it "should redirect to new user session" do
post :create, :demotivideo => valid_attributes
response.should redirect_to(new_user_session_path)
end
end
describe "PUT update" do
it "should redirect to new user session" do
put :update, :id => 1, :demotivideo => valid_attributes
response.should redirect_to(new_user_session_path)
end
end
end
All are failing because of the same reason: expected route includes the locale (by default en) but the actual redirect was to the same path without locale. My application controller was modified as told in Rails Guides:
class ApplicationController < ActionController::Base
protect_from_forgery
before_filter :set_locale
def default_url_options(options={})
logger.debug "default_url_options is passed options: #{options.inspect}\n"
{ :locale => I18n.locale }
end
def set_locale
I18n.locale = params[:locale] || I18n.default_locale
end
end
What am I doing wrong?
Seems like though Rails Guides uses def default_url_options in Devise you need def self.default_url_options. Don't know the difference, though.