Jump to content

The ultimate community for Ruby on Rails developers.


Photo

need help figuring out how to restrict access to a given user

sessions rails 4

  • Please log in to reply
4 replies to this topic

#1 Vell

Vell

    Inspector

  • Members
  • 78 posts
  • LocationWashington, DC

Posted 21 April 2014 - 06:51 PM

I'm not sure if this is the right place to ask this question. If not let me know where I can post it and I will repost.

 

Basically, I am having trouble trying to figure out how to restrict user access to only what they are assigned to.

 

I am currently creating a system where users are assigned to a group and through they group they have access to communicate with each other. The way I implemented this so far was to store their assigned groups (HATBM) into a session variable and then check that variable for the group id to see if that user is assigned to that group.

def set_allowed_discussion_group_ids
    if current_user
      session[:allowed_discussion_group_ids] ||= current_user.discussion_groups.map(&:id) rescue [0]
    end
  end

To give an idea of my issue, if a user attempts to create a discussion the following check should run to make sure that they are allowed to start the discussion

  def authorized_to_start_discussion?
    unauthorized_message_and_redirect unless session[:allowed_discussion_group_ids].include?(params[:discussion_group_id].to_i)
  end

Then again when they go to create the discussion.

 def authorized_to_create_discussion?
     unauthorized_message_and_redirect unless session[:allowed_discussion_group_ids].include?(params[:discussion][:discussion_group_id].to_i)
  end

my current issue is with the second method where when I click the submit button, I get into this method and it execute this unauthorized_message_and_redirect even though  the check returns true. I have been fighting with this for a while and have looked at it in many different ways and can't seem to tell what my issue is.

 

Is there a better way that I could implement something like this? I don't see this as being overly complicated yet I can't seem to understand what I am doing wrong.

 

Thanks in advance for any help.

 

 



#2 Vell

Vell

    Inspector

  • Members
  • 78 posts
  • LocationWashington, DC

Posted 21 April 2014 - 07:03 PM

hmm more interestingly enough I just found out that it is creating a record as it should but its running the unauthorized_message_and_redirect method anyway.



#3 Vell

Vell

    Inspector

  • Members
  • 78 posts
  • LocationWashington, DC

Posted 21 April 2014 - 07:15 PM

unbelievable. it just hit me that the problem isn't in that method but the one that is checking to see if the user is able to view the discussion. I'm still very much curious if there is a better way to do this. If anyone has any ideas.



#4 Ohm

Ohm

    Driver

  • Moderators
  • 450 posts
  • LocationCopenhagen

Posted 24 April 2014 - 10:47 AM

Say we have a setup like yours, I'd do something like this:

# application_controller.rb
class ApplicationController < ActionController::Base
  before_filter :set_allowed_discussion_group_ids

  helper_method :authorized_to_start_discussion?
  
  ...
  private

  def set_allowed_discussion_group_ids
    @allowed_group_ids ||= current_user.discussion_groups.pluck(:id) if current_user
  end

  def authorized_to_start_discussion?
    unless @allowed_group_ids.include?(params[:discussion_group_id])
      unauthorized_message_and_redirect and return
    end
    
    true
  end
end

and then in another controller I'd do

class DiscussionsController < ApplicationController
  before_filter :authorized_to_start_discussion?, only: [:create]

  ...

  def create
    ...
  end
end

Blog: http://ohm.sh | Twitter: @madsohm | Work: Lokalebasen.dk


#5 Vell

Vell

    Inspector

  • Members
  • 78 posts
  • LocationWashington, DC

Posted 24 April 2014 - 02:06 PM

Thanks @ohm. Thats definitely a lot cleaner.  I like that your using an instance variable instead of the session like i am.







Also tagged with one or more of these keywords: sessions, rails 4

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users