Thanks for looking at these.
class User < ActiveRecord::Base
validates_lengths_from_database
devise :database_authenticatable, :authentication_keys => [:login_name]
devise :trackable, :validatable, :lockable, :timeoutable
# Setup accessible (or protected) attributes for your model. Protected
# is being used here because solving a security problem at the model layer
seems
# wrong to me. The solution is to avoid mass-assignment from user provided
# data for anything sensitive, and for unvalidated keys.
attr_protected :encrypted_password, :password_salt
#acts_as_audited :except => [:password_encrypt, :salt]
validates :login_name, :presence => true, :uniqueness => true
validates :location, :presence => true, :if => lambda { roles.detect { | r |
r.role_name =~ /Location/ }}
validates :roles, :presence => true
validates :default_language, :presence => true
validates :password_confirmation, :presence => true, :on => :create
has_and_belongs_to_many :roles
belongs_to :location
belongs_to :default_language, :class_name => "Language"
def to_label
self.login_name
end
def has_role?(name)
self.roles.detect { | r | r.role_name == name }
end
def admin?
self.has_role? "System Modeler"
end
def programmer?
self.has_role? "Programmer"
end
def authorized_for_delete?
puts "Testing for delete security"
# anonymous users may never destroy these/this records
return false unless current_user
# unless it's an existing record and a 'permanent' flag has been thrown
return current_user.admin? || current_user.programmer?
end
def self.authorized_for_create?
puts "Testing for create security"
# anonymous users may never destroy these/this records
return false unless current_user
# unless it's an existing record and a 'permanent' flag has been thrown
return current_user.admin? || current_user.programmer?
end
def authorized_for_update?
puts "Testing for update security"
# anonymous users may never destroy these/this records
return false unless current_user
# unless it's an existing record and a 'permanent' flag has been thrown
return current_user.admin? || current_user.programmer?
end
def authorized_for_set_password?
puts "Testing for set_password security"
# anonymous users may never destroy these/this records
return false unless current_user
# unless it's an existing record and a 'permanent' flag has been thrown
return current_user.admin? || current_user.programmer?
end
end
class UsersController < SecureController
before_filter :clear_page_status
# Custom action to return the form for updating the password of a user
def edit_password
render :layout => false
end
# Modify the password for a user
def set_password
@record = User.find(params[:id])
if @record && current_user && (current_user.admin? ||
current_user.programmer?)
@record.password = params[:password]
@record.save!
flash[:notice] = 'Password Set'
else
flash[:alert] = 'Unable to set password'
end
end
# Setup the UI for the controller using ActiveScaffold config settings
active_scaffold :User do | config |
config.columns.add :password
config.columns.add :password_confirmation
infer_validations config
config.columns[:email].required = true
config.columns[:enabled].required = false
config.columns[:password_confirmation].required = true
config.list.sorting = {:login_name => :asc}
config.columns.each { | c | c.weight = 1000 }
config.columns[:login_name].weight = 100
config.columns[:email].weight = 200
config.columns[:enabled].weight = 300
config.columns[:location].weight = 500
cols = [:updated_at, :created_at, :encrypted_password, :password_salt,
:password, :password_confirmation]
config.list.columns.exclude cols.concat([:current_sign_in_ip,
:current_sign_in_at, :last_sign_in_ip, :last_sign_in_at])
config.show.columns.exclude cols
config.show.columns.add_subgroup 'Contact' do | group |
group.add :first_name
group.add :last_name
group.add :email
group.add :contact_phone
end
config.show.columns.add_subgroup 'Last Login' do | group |
group.add :last_sign_in_ip
group.add :last_sign_in_at
end
config.show.columns.add_subgroup 'Current Login' do | group |
group.add :current_sign_in_ip
group.add :current_sign_in_at
end
config.update.columns.add_subgroup 'Contact' do | group |
group.add :first_name
group.add :last_name
group.add :email
group.add :contact_phone
end
config.create.columns.add_subgroup 'Contact' do | group |
group.add :first_name
group.add :last_name
group.add :email
group.add :contact_phone
end
config.columns[:default_language].form_ui = :select
config.columns[:location].form_ui = :select
config.columns[:roles].form_ui = :select
cols = [:current_sign_in_at, :current_sign_in_ip, :failed_attempts,
:last_sign_in_ip,
:last_sign_in_at, :encrypted_password, :password_salt, :locked_at]
config.create.columns.exclude cols
config.update.columns.exclude cols
config.update.columns.exclude [:password, :password_confirmation]
config.action_links.add :password, :label => 'Password', :position =>
:after,
:type => :member, :page => false, :controller => 'users', :action =>
'edit_password'
config.columns[:default_language].clear_link
config.columns[:roles].clear_link
config.columns[:location].clear_link
end
end
On Jan 19, 2011, at 12:33 AM, vhochstein wrote:
> Hi Michael,
>
> can you please post your model and controller.
>
> --
> Volker
>
> On Jan 19, 5:06 am, Michael Latta <[email protected]> wrote:
>> I am using the rails 3 jquery fork and not seeing the actions disabled when
>> the security methods indicate they should. The operations are failing
>> because of the security methods so they are being called by the operations,
>> but not being used in controlling the actions. Currently I only have Model
>> methods, do I need controller methods in addition?
>>
>> Michael
>
> --
> You received this message because you are subscribed to the Google Groups
> "ActiveScaffold : Ruby on Rails plugin" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/activescaffold?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"ActiveScaffold : Ruby on Rails plugin" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/activescaffold?hl=en.
