Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>In a typical Rails application, authentication information is stored in the active session, not the parameters. As such, it's pretty straightforward to write a helper that does what you want.</p> <p>It seems rather unorthodox to create a module that is then included in ApplicationHelper. The traditional approach is to create a separate helper which in this case would probably be called AuthenticationHelper. This can then be included in any required controllers, or if you prefer, loaded into ApplicationController to make it available universally.</p> <p>In general terms, Helpers should not include other Helpers. It is better to simply load multiple helpers into a given Controller.</p> <p>Helper methods have full access to any instance variables declared within the controller context they are operating from. To be specific, these are instance variables only (@name) and not local variables (name). Helper methods are executed for a particular view as well.</p> <p>Further, I'm not sure why a user would be providing credentials and performing an operation in the same step, at least for traditional web-based apps. Usually the process is to log in and then perform an action separately.</p> <p>However, in the case of an API where each transaction is an independent operation, the most straightforward approach is to do is pull out the relevant request parameters that deal with authentication, establish some controller instance variables, and then proceed to perform the particular request given the constraints that the credentials impose.</p> <p>The approach I usually follow for this sort of thing is to layer in an authentication structure in the ApplicationController itself which can perform the required checks. These are protected methods.</p> <p>While it's tempting to roll in a whole heap of them such as can_edit_user? and can_create_group? these very quickly get out of hand. It is a simpler design to put in a hook for a general-purpose can_perform? or has_authority_to? method that is passed an operation and any required parameters.</p> <p>For example, a very rough implementation:</p> <pre><code> class ApplicationController &lt; ActionController::Base protected def has_authority_to?(operation, conditions = { }) AuthenticationCheck.send(operation, conditions) rescue false end end module AuthenticationCheck def self.edit_user?(conditions) session_user == conditions[:user] end end class UserController # ... def edit @user = User.find(params[:id]) unless (has_authority_to?(:edit_user, :user =&gt; @user)) render(:partial =&gt; 'common/access_denied', :status =&gt; :forbidden) end rescue ActiveRecord::RecordNotFound render(:partial =&gt; 'users/not_found') end end </code></pre> <p>Obviously you'd want to roll a lot of the authority checks into before_filter blocks to avoid repetition and to promote consistency.</p> <p>A full framework example might be of more help, such as the Wristband user authentication system:</p> <p><a href="http://github.com/theworkinggroup/wristband/tree/master" rel="nofollow noreferrer">http://github.com/theworkinggroup/wristband/tree/master</a></p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload