role_requirement question

rubyonrails-talk
1

I am using restful_authentication in combination with role_requirment.

At the beginning of the controllers that I want to have login control over, I include

require_role "user" require_role "admin"

For instance. If I login as either of the two roles then call a controller it works fine. However if I do not login at all and simply call a controller, it let's me right in. It doesn't restrict access whatsoever. No redirect to a login page or nothing.

How do I restrict access if no user is logged in at all?

Thanks

2

You could use a before_filter in combination with the AuthenticatedSystem Module. Just add the following in your controller:

before_filter :login_required

You can also give the filter more options in case you want the login only for a couple of specific actions, or for all actions but one…

3

Thanks for the input.

I tried using before_filter :login_required along with the require_role calls but it doesn't work either.

Maybe there's a conflict between the two plugins?

Any thoughts?

Thanks

4

I’m using it right here in my own projects, they work alongside just fine…

before_filter :login_required, :only => [ :change_password ]

require_role “admin”, :for => :edit, :unless => lambda { |user,params|

return params[:id].to_i==user.id

}

require_role “admin”, :for => [:index, :init_mailing]

Not sure where your problem could be coming from…

5

OK good to know. I may have broken something while modifying the one of the plugins then.

Thanks heaps Niels, that has set me in the right direction at least.

Elliott

6

You’re most welcome,

Good luck fixing!

7

Actually

require_role "user" require_role "admin"

should be enough to protect your actions. I do it like that in my projects.

Nico

8

Hello Elliott, Are you sure that:

1. You have these roles defined in the roles table? and; 2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table defines the "admin" role with a role_id = 1 then you must have a row in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this. Bharat

9

I had broken r_a#before_filter :login_required by tweaking the source to make some tests pass. That change had also altered the way the r_r#require_role was working.

I changed the code back, and now require_role "user" & require_role "admin" do as they should without having to use before_filter :login_required as well.

Thanks for the help guys!

10

Bharat Ruparel wrote:

Hello Elliott, Are you sure that:

1. You have these roles defined in the roles table? and; 2. There is an entry for row_id and user_id in your roles_users table?

For example,

If admin user has a user_id of 1 in users table and your roles table defines the "admin" role with a role_id = 1 then you must have a row in roles_users table corresponding to this combination:

role_id = 1, user_id = 1

Check if you have done this. Bharat

Sorry for resurrecting an old thread, but this situation describes exactly the situation I have set up. Yet I can't get the user to authenticate as an administrator.

I have a single user who I have granted admin rights, in the admins_users table:

11

However, I can't seem to discover why the user is denied access.

Within the user model there is a method called has_role? which compares all names in the admin table versus "admin". If it matches then the user is granted admin access. I modified has_role? by passing the user's id in as well (lib/role_requirement_system.rb line 100). It now compares the user's id vs the ids in the admin table. A match grants admin access.