Jump to content

The ultimate community for Ruby on Rails developers.


Photo

new to rails


  • Please log in to reply
11 replies to this topic

#1 deanforu

deanforu

    Passenger

  • Members
  • 5 posts

Posted 14 August 2013 - 07:12 PM

I'm a web developer for a small web company that doesn't know how to say no to taking on projects, I'm a php developer mainly but I've been put in charge of this ruby on rails site, I can manage to fix most of their problems with the database, however, modifying the ruby on rails application is a different story, I can find the coding on the site fine enough to make modifications, but when I recently went to change a file the modifications I made to the code should have altered the behaviour of the website to allow 3 different user.id's to edit invoices, but really I was not making a change to the behaviour.

 

cameo@CAMEO-S1:/opt/cameo/current/app/controllers$ vi invoices_controller.rb
# To change this template, choose Tools | Templates
# and open the template in the editor.

class InvoicesController < ApplicationController
        before_filter :requires_lana

        def requires_lana
                if self.current_user.id != 93 || self.current_user.id != 16 || self.current_user.id != 69 <-- this is the line I changed from if self.current_user.id != 29
                        flash[:error] = 'Only LanaS may currently access this part of the system.'
                        redirect_to '/'
                end
        end

        def edit
                @invoice_header = InvoiceHeader.find(params[:id])
        end

        def update
                @invoice_header = InvoiceHeader.find(params[:id])
                # we divied the amount by 1000 to make it easier on the user, so we need to undo that here
                params[:invoice_header][:invoice_attributes].each do |offset, values|
                        values.each do |key, value|
                                values[key] = (values[key].to_f * 1000).to_i if key == 'rate_in_cents' || key == 'expense_amt_in_cents'
                        end
                end
                if @invoice_header.update_attributes(params[:invoice_header]).inspect
                        flash[:notice] = 'Invoice Details updated successfully'
                        redirect_to :back
                else
                        render 'edit'
                end
        end
end
~

This change was supposed to allow 2 more admins to manage editing invoices, however, nothing happens and no link to edit the invoice appears.

 

The reasoning behind having to change this was the admin user Lana her dashboard one day all of a sudden decided not to work.

 

When I created a new user for Lana as user.id 93 and moved the code away from user.id 29 no rendering of the edit comes up for her or anybody else I've

 

intended it for. I switch the code back and her user back to 29 in the database the corrupted login and dashboard re-appear.

 

I'm probably stuck inside a proprietary business rules issue but I'm hoping all you smart ROR programmers out there can mental out what is going on

 

here. Is there possibly more code I need to be looking at? a model or view??
 



#2 Adam

Adam

    Inspector

  • Administrators
  • 71 posts

Posted 14 August 2013 - 07:41 PM

This does seem like an awful way to manage permissions however to resolve your issue you may wish to try:
unless [93,16,69].include?(current_user.id)
  # redirect if they should not have access
end
However, you'd be best adding a column to the user's table and using that to control access and then use something like:
unless current_user.can_edit_invoices?
  # redirect if not access
end

Adam Cooke

from aTech Media - UK-based Ruby on Rails developers. 

 

Follow me on Twitter  •  Check out my code on GitHub  •  Take a look at my designs


#3 deanforu

deanforu

    Passenger

  • Members
  • 5 posts

Posted 14 August 2013 - 07:50 PM

do you think its the syntax of the if conditionals? I tried it with just one conditional:

 

if self.current_user.id != 93...( and I just changed the number of the user.id in the conditional from 29 to 93 and it still refused to work.)



#4 noz

noz

    Signalman

  • Members
  • 21 posts

Posted 14 August 2013 - 07:55 PM

I second Adam's suggesting on adding a column for authorization. It might be a little over your head if you're just starting out, but adding CanCan to your application can be a life-saver if you find yourself doing this a lot (authorizing users for various tasks). It's definitely worth-while to learn a bit about both Ruby and the Rails framework before making changes, I highly recommend the Rails for Zombies series as brief introduction.

 

Since you're inheriting this application from somebody else, I would do a thorough analysis on the existing infrastructure. Probably most importantly is whatever is in the app/models folder and the test directory (assuming the application was tested).There might already be existing functionality for exactly what you're trying to do now and you're just duplicating work so it definitely doesn't hurt to check.



#5 Adam

Adam

    Inspector

  • Administrators
  • 71 posts

Posted 14 August 2013 - 08:11 PM

Did you restart your the app's web server after making the changes?


Adam Cooke

from aTech Media - UK-based Ruby on Rails developers. 

 

Follow me on Twitter  •  Check out my code on GitHub  •  Take a look at my designs


#6 deanforu

deanforu

    Passenger

  • Members
  • 5 posts

Posted 14 August 2013 - 08:43 PM

code changes made to ruby files always require a restart of the web server?



#7 deanforu

deanforu

    Passenger

  • Members
  • 5 posts

Posted 14 August 2013 - 08:48 PM

if I change the code to user 93 it doesn't show the edit link for the invoice, when I change the code back to user 29 the corrupted login and dashboard re-appear so this tells me the changes I make to the code take effect immediately.



#8 Adam

Adam

    Inspector

  • Administrators
  • 71 posts

Posted 14 August 2013 - 09:04 PM

The display of the "edit" link will be nothing to do with this. This particular code handles restricting access to the actual actions rather than any links within the views. You should take a look at the view to see what logic hides/shows the "edit" link.


Adam Cooke

from aTech Media - UK-based Ruby on Rails developers. 

 

Follow me on Twitter  •  Check out my code on GitHub  •  Take a look at my designs


#9 deanforu

deanforu

    Passenger

  • Members
  • 5 posts

Posted 14 August 2013 - 09:16 PM

sorry pardon my newbieness... I found this line in the invoice_details  view directory "edit.html.erb" file   but there was no logic whether to show this link or not.   

 

<td><%= link_to 'Edit', edit_invoice_detail_path(invoice_detail) %></td>

 

at the bottom of the invoices_controller.rb above what does: render 'edit' mean?

 

I feel much like a blind man, not knowing ruby... so excuse me...
 



#10 Adam

Adam

    Inspector

  • Administrators
  • 71 posts

Posted 14 August 2013 - 09:52 PM

If there's no logic around that link_to then I don't see how it would appear and disappear on a per-user basis (unless there's some CSS or JS going on).


Adam Cooke

from aTech Media - UK-based Ruby on Rails developers. 

 

Follow me on Twitter  •  Check out my code on GitHub  •  Take a look at my designs


#11 noz

noz

    Signalman

  • Members
  • 21 posts

Posted 14 August 2013 - 10:16 PM

if I change the code to user 93 it doesn't show the edit link for the invoice, when I change the code back to user 29 the corrupted login and dashboard re-appear so this tells me the changes I make to the code take effect immediately.

Make sure you look at the surrounding logic (if any) as well. The relevant logic may not be on the same line as the link.



#12 alejandro

alejandro

    Passenger

  • Members
  • 2 posts

Posted 20 August 2013 - 08:47 PM

If you want allow users 93, 16 and 69, then you may change all || with && in requires_lana, otherwise nobody can edit InvocieHeader.

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users