I'm looking at code in a project. I have no clue what is being passed
into the resource parameter:
def read_authorized?(resource)
if resource.respond_to? :user_read_authorized?
resource.user_read_authorized? current_user
else
true
end
end
Is there any kind of debugging feature I can run to see what gets passed
into resource in this specific instance.
Also, user_read_authorized? is not defined anywhere else in application.
Is that legal in rails? Can someone just define :user_read_authorized?
and it mean something?
As to the second part of your question, it is perfectly "legal" to define your own method names and the behavior that you expect. In this case, it seems like a resource (probably a model) is presumed to be readable (true) unless the resource has defined its own :user_read_authorized? method that takes a user and supplies a particular answer (and if a login has not been required, current_user might be false).
Shame on you if your method names don't make sense, of course.
Is there any kind of debugging feature I can run to see what gets passed
into resource in this specific instance.
Have a look at the Rails Guide on debugging then use ruby-debug to
break into the function. Then you can inspect the variables.
Colin
Yeah I followed the rails guide and got this far:
MacBook-Pro:trunk user$ script/server --debugger
=> Booting WEBrick
=> Rails 2.3.4 application starting on http://0.0.0.0:3000
=> Debugger enabled
=> Call with -d to detach
=> Ctrl-C to shutdown server
Then the rails guide says this:
3.2 The Shell
As soon as your application calls the debugger method, the debugger will
be started in a debugger shell inside the terminal window where you
launched your application server, and you will be placed at ruby-debug’s
prompt (rdb:n). The n is the thread number. The prompt will also show
you the next line of code that is waiting to run.
Unfortunately, I do not get a rdb:n and in fact, I type anything in
terminal and nothing happens.
Have you put the line
debugger
at the appropriate point to break in your app? That is what it means
by your app calling the debugger method.
You should then see the break happen in the same window where you
started the server (when it gets to the debugger line that is).
Colin
I get this error message:
NoMethodError in RolesController#new
undefined method `run_init_script' for Debugger:Module
I was able to fix the above error. However, I try to inspect what the
value of resource is and I get this using the p command as the rails
guide suggests:
(rdb:1) p resource
NameError Exception: undefined local variable or method `resource' for
#<VerbsController:0x1061102e0>
I was able to fix the above error. However, I try to inspect what the
value of resource is and I get this using the p command as the rails
guide suggests:
(rdb:1) p resource
NameError Exception: undefined local variable or method `resource' for
#<VerbsController:0x1061102e0>
The error means just what it says. You haven't defined "resource" at
that point in your code. Try using the l command in the debugger to
make sure you're where you think you are.
I was able to fix the above error. However, I try to inspect what the
value of resource is and I get this using the p command as the rails
guide suggests:
(rdb:1) p resource
NameError Exception: undefined local variable or method `resource' for
#<VerbsController:0x1061102e0>
The error means just what it says. You haven't defined "resource" at
that point in your code. Try using the l command in the debugger to
make sure you're where you think you are.
I'm confused when I do this:
(rdb:5) p read_authorized?(resource)
true
It returns a value of true. But it's undefined?
No. Based on what you've said, resource is undefined, but
read_authorized? Is written in such a way that if it is passed an
undefined argument, it returns true. Why? I don't know. Step through
with the debugger to see what's going on.
Is there any kind of debugging feature I can run to see what gets
passed
into resource in this specific instance.
Also, user_read_authorized? is not defined anywhere else in
application.
Is that legal in rails? Can someone just define :user_read_authorized?
and it mean something?
Thanks for any suggestions
As to the second part of your question, it is perfectly "legal" to
define your own method names and the behavior that you expect. In this
case, it seems like a resource (probably a model) is presumed to be
readable (true) unless the resource has defined its
own :user_read_authorized? method that takes a user and supplies a
particular answer (and if a login has not been required, current_user
might be false).
Shame on you if your method names don't make sense, of course.
def read_authorized?(resource)
if resource.respond_to? :user_read_authorized?
resource.user_read_authorized? current_user
else
true
end
end
So Ruby has a function called respond_to? that can be used to seeing if
a particular class or object has a method with a certain name. So if the
resource (e.g. record 1 of Users table) is readable (true) unless the
resource has defined its own :user_read_authorized? method. If it does
have a :user_read_authorized? method, then we take the user
(resource.user_read_authorized?(current_user)) and evaluates it against
the method. So if the method requires user to be logged in and have a
role 6, then if current_user is logged in but has a role 5, then we
return false. Otherwise (else) we return true, which means the user will
have access to the page.
Is this what you were saying Rob?
Also, would the next step to prevent the user from accessing, let's say,
the edit action of User page be to define :user_read_authorized?
So basically assign user_read_authorized role priveleges so it can test
it against the priveleges of current_user (the currently logged in
user).
Any responses would be greatly appreciated. I been on this all day.
Is there any kind of debugging feature I can run to see what gets
passed
into resource in this specific instance.
Also, user_read_authorized? is not defined anywhere else in
application.
Is that legal in rails? Can someone just define :user_read_authorized?
and it mean something?
Thanks for any suggestions
As to the second part of your question, it is perfectly "legal" to
define your own method names and the behavior that you expect. In this
case, it seems like a resource (probably a model) is presumed to be
readable (true) unless the resource has defined its
own :user_read_authorized? method that takes a user and supplies a
particular answer (and if a login has not been required, current_user
might be false).
Shame on you if your method names don't make sense, of course.
def read_authorized?(resource)
if resource.respond_to? :user_read_authorized?
resource.user_read_authorized? current_user
else
true
end
end
So Ruby has a function called respond_to? that can be used to seeing if
a particular class or object has a method with a certain name. So if the
resource (e.g. record 1 of Users table) is readable (true) unless the
resource has defined its own :user_read_authorized? method. If it does
have a :user_read_authorized? method, then we take the user
(resource.user_read_authorized?(current_user)) and evaluates it against
the method. So if the method requires user to be logged in and have a
role 6, then if current_user is logged in but has a role 5, then we
return false. Otherwise (else) we return true, which means the user will
have access to the page.
Is this what you were saying Rob?
Yes, that's a good restatement of what I said/meant.
Also, would the next step to prevent the user from accessing, let's say,
the edit action of User page be to define :user_read_authorized?
So basically assign user_read_authorized role priveleges so it can test
it against the priveleges of current_user (the currently logged in
user).
Any responses would be greatly appreciated. I been on this all day.
Well, you could, but that's probably better as something you do in the controller (perhaps by defining a local version of authorized? if you're using a restful_authentication work-alike.
If you're not building a plugin for widespread use, you could just do the test "directly":
class User
def can_read(other)
return false unless other.is_a?(User)
self.role > other.role
end
end
Then in your controller's edit action
def edit
if @other = User.find_by_id(params[:user_to_edit_id])
if current_user.can_read(@other)
# do regular stuff (render, etc)
else
flash[:error] = "you can't read that user"
redirect_to some_url
end
else
flash[:error] = "can't find that user"
redirect_to some_url
end
end
