In web applications where we have private areas that only registered members must access, we must implement mechanisms that allow users to only see once they are authenticated.
Filters
Filters are Rails tools that allow us to intercept calls to methods and actions, allowing us to add our methods either before, during or after, so that we can control the flow of the application as we see fit to fulfill our functionalities. In this stage we will use the before filter to intercept the calls to our actions, in this way we can verify the session and know if the user is logged in, if not then we redirect it to wherever we have arranged. We will place this method in our application controller as it is the basis and will be available for the entire application.
Let's see the code we have for it:
def authorize unless session [: user_id] flash [: notice] = "Please log in" redirect_to (: controller => "login", : action => "login") end end
As we see the logic behind this is quite simple, we use a Ruby conditional that is unless, this allows us to condition that unless the condition is met the block code is executed. Then unless we have an id of a user in session we will redirect it and ask it to authenticate in the application.
Now in our administrator controller we will filter and ask users to authenticate:
class AdminController <ApplicationController before_filter: authorize
And in our login controller we also do something similar, only we will add the exception of the login action that is the one that interests us that can be seen by any unauthenticated user:
class LoginController: login
If we are not logged in we should see something like this when accessing the administrative page of the application:
Now we have the way to apply and filter that users can not see the administrative panels if they are not logged in, however we have a last inconsistency, in the part of removing users we must avoid deleting the general administrator of the application since if We do not, there is a possibility that a user deletes all users and we are left without access unless we directly modify the database and it is unacceptable for our application. To do this we are going to create a special event again, in this case it will be the before_destroy, which makes it before executing the destroy action to execute a method.
Let's see the code:
before_destroy: dont_destroy_dave def dont_destroy_dave raise "Can't destroy dave" if self.name == 'dave' end
Then in our delete action we will capture the message and show it, let's see the code of the action:
def delete_user id = params [: id] if id && user = User.find (id) begin user.destroy flash [: notice] = "User # {user.name} deleted" rescue flash [: notice] = "Can ' t delete that user "end end redirect_to (: action =>: list_users) end This concludes our access limitation tutorial in our application, it is important to cover all possibilities to prevent unauthorized users from seeing or modifying our administrative part, this to avoid future headaches and security problems that will make our application Insecure and unstable.
- 0
Articles