Redirection as POST to enable authentication for POST actions

Hi all,

I am wondering if anyone can help me or has had similar experiences
before:

I am trying to authenticate users before allowing them to access
certain actions (create, update, destroy) in my controller, e.g.
items_controller. I have done this by using a before_filter that
redirects them to a users_controller if session[:login] is nil. (e.g.
items/update/25 redirects to users/login)

What I want to do is:
1. Preserve the original paramaters in all redirections (from items/
update/25 to users/login, users/login to users/authenticate, and users/
authenticate to items/update/25)
2. To make the authentication transparent to the actions (they need
not care/know if the incoming request is a redirection due to
authentication or if its a normal request).

I have come up with this incomplete solution:
1. I use flash to propagate the parameters (request.parameters) from
items/update/25 to users/login to users/authenticate to items/update/
25. I wasnt able to use session variables because it doesnt seem to be
preserved across controllers (im not so sure about the reason).
2. I manually inserted the parameters back into params by applying a
before_filter for the actions (create, update, destroy)

The problem I have for the above solution is:
1. Its not very transparent as I have to manually insert the
parameters back to params, but worst of all
2. The redirection causes the request to become a GET not a POST and I
have to turn off the verify code (the one generated by scaffolding)
that restricts Create, Update, and Destroy actions to POST.

Does anyone have any advice for the above?

Best regards,

Jesse P.

See how restful_authentication plugin does it.

Check #store_location in
http://svn.techno-weenie.net/projects/plugins/restful_authentication/generators/authenticated/templates/authenticated_system.rb

Hi Pratik,

I have read the code you mentioned and I doesnt even seem to save the
parameters, yet along handle POST. It merely does redirect_to from a
saved URI.

Best regards,

Jesse

Hi Shai,

Thanks for your comments. For the parameters, I am now using session
variables and it works across controllers (im not sure why it didnt
work the other time). But as for acts_as_authenticated, I have seen
the code and it doesnt store any parameters from the original request.
It merely stores the URI. After authentication, it redirects to the
saved URI in the session variable. There are 2 problems with this:

1. I want to be able to save the parameters from the original request
2. I want to redirect as POST not GET to the original URI

In light of the above, I dont think acts_as_authenticated will work
for me. In your experience, do you have any other possible
suggestions?

Thanks,

Jesse

This issue seems like such an obvious thing, that it makes me worried
that there isn't an obvious rails pattern or plug-in for this. Maybe
other designers are punting on this or designing apps in such a way that
it never comes up.

Bingo, check out the restful_authentication plugin.

http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated
http://svn.techno-weenie.net/projects/plugins/restful_authentication/
http://svn.techno-weenie.net/projects/plugins/acts_as_authenticated/