Pragmatic Forums | How to selectively require authentication in the depot app?

Oct 4, 2008 5:02am

Tate 5 posts

In our depot app we set the authorize action in the store controller so that anyone can view products and checkout. But what if we wanted to require people to login to checkout? Accordingly, how would we check to see if someone is logged in before we show the cart partial?

Oct 4, 2008 10:58am

James West 70 posts

This is covered in the next bit of the book where the authorize method is moved to use a before filter

Oct 4, 2008 2:01pm

Tate 5 posts

If you mean the before_filter :authorize, :except => “login” in the application controller, I have that already.

Basically this will require authorize on all actions except the login action, and in our store controller we define authorize as blank so any guest can perform any actions on that particular controller.

I suppose I could use a before_filter on all controllers and :except any action that I want to be public, but that doesn’t seem very DRY

Oct 4, 2008 9:48pm

James West 70 posts

I meant that it is covered in the next part of the book. you just have not read far enough yet.
Sorry for the confusion

Oct 5, 2008 11:50am

James West 70 posts

Hi,
At the bottom of page 173 the paragraph underneath the code that sets the before_filter it sais

“Note that this is going too far. We have just limited access to the store itself to
administrators. That’s not good.
We could go back and change things so that we only mark those methods” ... etc

You must have missed that part when you were reading the book! lol!
Hope that helps

Oct 5, 2008 3:33pm

Tate 5 posts

Right, and then it says to provide an override for the authorize method, and we define it like so:

def authorize
end

So now every action in the store controller is accessible w/o needing authentication. My question is how would I require authentication for the checkout action? What if I wanted to do the reverse, lets say I wanted to list all users to the public. The users controller is being authenticated, so lets say I wanted to open up the index action for example?

Oct 5, 2008 4:39pm

James West 70 posts

Hi Tate
If I understand you correctly you want to selectively authorize actions at the controller method level?

I think if I were doing this from a noob perspective I would probably use some kind of flag as a parameter to the authorize method.
Maybe call it something like need_to_login.
Decide on a value for true and false then check the state of the flag before continuing the authorize method
you can then call the authorize method within the individual methods in your controller passing it a true or false value

def authorize(need_to_log_in)
  if need_to_log_in?
    unless User.find_by_id(session[:user_id])
      flash[:notice] = "Please log in" 
      redirect_to :controller => :admin, :action => :login
    end
  end
end

I’m not sure if I have the syntax correct or even if this would work but it is probably the way I would approach this problem given my limited rails knowledge

How to selectively require authentication in the depot app?

Discussions

Voices

Oct 4, 2008 5:02am Tate 5 posts	In our depot app we set the authorize action in the store controller so that anyone can view products and checkout. But what if we wanted to require people to login to checkout? Accordingly, how would we check to see if someone is logged in before we show the cart partial?

Oct 4, 2008 10:58am James West 70 posts	This is covered in the next bit of the book where the authorize method is moved to use a before filter

Oct 4, 2008 2:01pm Tate 5 posts	If you mean the before_filter :authorize, :except => “login” in the application controller, I have that already. Basically this will require authorize on all actions except the login action, and in our store controller we define authorize as blank so any guest can perform any actions on that particular controller. I suppose I could use a before_filter on all controllers and :except any action that I want to be public, but that doesn’t seem very DRY

Oct 4, 2008 9:48pm James West 70 posts	I meant that it is covered in the next part of the book. you just have not read far enough yet. Sorry for the confusion

Oct 5, 2008 11:50am James West 70 posts	Hi, At the bottom of page 173 the paragraph underneath the code that sets the before_filter it sais “Note that this is going too far. We have just limited access to the store itself to administrators. That’s not good. We could go back and change things so that we only mark those methods” ... etc You must have missed that part when you were reading the book! lol! Hope that helps

Oct 5, 2008 3:33pm Tate 5 posts	Right, and then it says to provide an override for the authorize method, and we define it like so: `def authorize end` So now every action in the store controller is accessible w/o needing authentication. My question is how would I require authentication for the checkout action? What if I wanted to do the reverse, lets say I wanted to list all users to the public. The users controller is being authenticated, so lets say I wanted to open up the index action for example?

Oct 5, 2008 4:39pm James West 70 posts	Hi Tate If I understand you correctly you want to selectively authorize actions at the controller method level? I think if I were doing this from a noob perspective I would probably use some kind of flag as a parameter to the authorize method. Maybe call it something like need_to_login. Decide on a value for true and false then check the state of the flag before continuing the authorize method you can then call the authorize method within the individual methods in your controller passing it a true or false value def authorize(need_to_log_in) if need_to_log_in? unless User.find_by_id(session[:user_id]) flash[:notice] = "Please log in" redirect_to :controller => :admin, :action => :login end end end I’m not sure if I have the syntax correct or even if this would work but it is probably the way I would approach this problem given my limited rails knowledge