Redirection as POST to enable authentication for POST actions

Jesse_P · August 3, 2007, 2:36am

Hi all,

I am wondering if anyone can help me or has had similar experiences before:

I am trying to authenticate users before allowing them to access certain actions (create, update, destroy) in my controller, e.g. items_controller. I have done this by using a before_filter that redirects them to a users_controller if session[:login] is nil. (e.g. items/update/25 redirects to users/login)

What I want to do is: 1. Preserve the original paramaters in all redirections (from items/ update/25 to users/login, users/login to users/authenticate, and users/ authenticate to items/update/25) 2. To make the authentication transparent to the actions (they need not care/know if the incoming request is a redirection due to authentication or if its a normal request).

I have come up with this incomplete solution: 1. I use flash to propagate the parameters (request.parameters) from items/update/25 to users/login to users/authenticate to items/update/ 25. I wasnt able to use session variables because it doesnt seem to be preserved across controllers (im not so sure about the reason). 2. I manually inserted the parameters back into params by applying a before_filter for the actions (create, update, destroy)

The problem I have for the above solution is: 1. Its not very transparent as I have to manually insert the parameters back to params, but worst of all 2. The redirection causes the request to become a GET not a POST and I have to turn off the verify code (the one generated by scaffolding) that restricts Create, Update, and Destroy actions to POST.

Does anyone have any advice for the above?

Best regards,

Jesse P.

Pratik1 · August 3, 2007, 12:43pm

See how restful_authentication plugin does it.

Check #store_location in http://svn.techno-weenie.net/projects/plugins/restful_authentication/generators/authenticated/templates/authenticated_system.rb

Jesse_P · August 5, 2007, 3:22am

Hi Pratik,

I have read the code you mentioned and I doesnt even seem to save the parameters, yet along handle POST. It merely does redirect_to from a saved URI.

Best regards,

Jesse

Jesse_P · August 6, 2007, 7:41am

Hi Shai,

Thanks for your comments. For the parameters, I am now using session variables and it works across controllers (im not sure why it didnt work the other time). But as for acts_as_authenticated, I have seen the code and it doesnt store any parameters from the original request. It merely stores the URI. After authentication, it redirects to the saved URI in the session variable. There are 2 problems with this:

1. I want to be able to save the parameters from the original request 2. I want to redirect as POST not GET to the original URI

In light of the above, I dont think acts_as_authenticated will work for me. In your experience, do you have any other possible suggestions?

Thanks,

Jesse

Rick_Olson · August 6, 2007, 2:28pm

This issue seems like such an obvious thing, that it makes me worried that there isn't an obvious rails pattern or plug-in for this. Maybe other designers are punting on this or designing apps in such a way that it never comes up.

Bingo, check out the restful_authentication plugin.

http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated http://svn.techno-weenie.net/projects/plugins/restful_authentication/ http://svn.techno-weenie.net/projects/plugins/acts_as_authenticated/