authentication and user management questions

MaD · February 25, 2009, 9:39am

for your permissions problem I'd suggest the implementation of roles or groups. that way you can add users to groups or give them roles, which can be checked in a before_filter in your controllers.

sessions: if you are using activerecordstore (and thus your sessions are saved in a db-table) deleting those entries should result in a logout. there should be configuration in your environment like this: config.action_controller.session_store = :active_record_store

if you clean that table and you are still logged in, it seems you store your session (or at least your login-info) inside the client- side cookies (see cookiestore). if in doubt check your cookies for e.g. with firebug/firecookie.

for automatical timeout and removal put the following in your application controller: # session-timeout after inactivity of one hour. MAX_SESSION_PERIOD = 1800

before_filter :session_expiry

# checks and (re-)calculates expiry time for sessions def session_expiry # if there is a session[:expiry_time], check it reset_session if session[:expiry_time] and session[:expiry_time] < Time.now # reset expiry_time session[:expiry_time] = MAX_SESSION_PERIOD.seconds.from_now return true end

MaD · February 25, 2009, 2:07pm

I thought about creating groups, but then won't this complicate things? I'll have group_pages table, and how do I manage those? can a user belongs to many groups?

it's actually best to create a many-to-many relationship (user habtm groups). there are many plugins outthere that provide just what you need. if you don't want to just use one of these (either a complete authentication-plugin or just something like acts_as_role), you could still take a look at them for inspiration.

> config.action_controller.session_store = :active_record_store after commenting the above line, I got an InvalidAuthentictyToken error, which probably comes from my login form.

just to make sure: you are using active_record_store now, right?

I checked the markup and I can see the hidden field containing the authenticity token.. So I'm not sure why this messes up.

try to delete your browser's cookies and cache as well as your session table. maybe you have a conflict with one of the old sessions/cookies.

additionally check that you have the following: # environment.rb: config.action_controller.session = { :session_key => '_myapp_session', :secret => 'secretpass' # use a long and good secret! }

config.action_controller.session_store = :active_record_store

# application.rb protect_from_forgery :secret => 'secretpass'

that should do it.

11175 · February 27, 2009, 6:09am

It seems the problem stemmed from the session_expiry check:

for automatical timeout and removal put the following in your application controller:   # session-timeout after inactivity of one hour.   MAX_SESSION_PERIOD = 1800

  before_filter :session_expiry #####<-- this was the problem

  # checks and (re-)calculates expiry time for sessions   def session_expiry     # if there is a session[:expiry_time], check it     reset_session if session[:expiry_time] and session[:expiry_time] < Time.now     # reset expiry_time     session[:expiry_time] = MAX_SESSION_PERIOD.seconds.from_now     return true   end

Although I used 1800 seconds, it reset the session before I logged in, rendering the authenticity token invalid. Removing that before filter solved that. I'll have to keep looking into the whole auto-logout thing

Thanks!

MaD · February 27, 2009, 9:38am

at least that token-problem is solved.

but it's still weird, cause that session_expiry code is actually working on one of my apps. are you sure you don't have some sort of typo? (sth. like > instead of <) i would debug that piece of code to see, why the session is reset. btw: 1800 sec is of course half an hour (not what my comment stated) *g*

11175 · March 3, 2009, 7:54am

MaD wrote:

at least that token-problem is solved.

but it's still weird, cause that session_expiry code is actually working on one of my apps. are you sure you don't have some sort of typo? (sth. like > instead of <) i would debug that piece of code to see, why the session is reset. btw: 1800 sec is of course half an hour (not what my comment stated) *g*

My code seems intact -

MAX_SESSION_PERIOD = 1800 before_filter :check_session_expiration

def check_session_expiration if session[:expiry_time] and seesion[:expiry_time] > Time.now reset_session end

session[:expiry_time] = MAX_SESSION_PERIOD.seconds.from_now return true end

I'm not really sure what about it messes things up - on the surface it seems as though it should work. For now I'll omit it and try to gradually introduce it.

Regarding my previous question on using groups and users - I decided to go with users that can only belong to a single group - this makes it easier to manage on my end, and there really is no need to add the many-to-many groups/users at this point.

Say that I have many groups (10 or so) and each group has varying permissions on pages across the site. I also created a page and permission models, such that:

page has_and_belongs_to_many :groups, :join_table => 'permissions' group has_and_belongs_to_many :pages, :join_table => 'permissions'

The permissions table holds the page_id and group_id, and booleans for can_read, can_write and can_execute.

My question is - what's the best way to manage these permissions in my controllers? I thought about adding an if statement at the beginning of each action to see if the user's group can access this page, but this seems like a lot of duplication:

def index if user.group.can_access_page?(page_id) # render index else # render some 'you cannot access this page' message end end

def update if user.group.can_write_page?(page_id) # perform update else # render 'sorry - no updates allowed' end end

and so on. I could just restrict access to the controller with before filter, but what if the user uses direct routes in the address bar (/controller/new/1)?

I'd appreciate insights on this - I really want to dry up my code as much as possible - thanks.