Hi Michael, Thanks a lot. Can you please make sure that you are using a version of activescaffold later than this commit: https://github.com/vhochstein/active_scaffold/commit/881e8d183feb4243f1268b6b6ec062e38f81454f
-- Volker On Jan 19, 5:56 pm, Michael Latta <[email protected]> wrote: > Thanks for looking at these. > > class User < ActiveRecord::Base > validates_lengths_from_database > > devise :database_authenticatable, :authentication_keys => [:login_name] > devise :trackable, :validatable, :lockable, :timeoutable > > # Setup accessible (or protected) attributes for your model. Protected > # is being used here because solving a security problem at the model layer > seems > # wrong to me. The solution is to avoid mass-assignment from user provided > # data for anything sensitive, and for unvalidated keys. > attr_protected :encrypted_password, :password_salt > > #acts_as_audited :except => [:password_encrypt, :salt] > > validates :login_name, :presence => true, :uniqueness => true > validates :location, :presence => true, :if => lambda { roles.detect { | r > | r.role_name =~ /Location/ }} > validates :roles, :presence => true > validates :default_language, :presence => true > validates :password_confirmation, :presence => true, :on => :create > > has_and_belongs_to_many :roles > belongs_to :location > belongs_to :default_language, :class_name => "Language" > > def to_label > self.login_name > end > > def has_role?(name) > self.roles.detect { | r | r.role_name == name } > end > > def admin? > self.has_role? "System Modeler" > end > > def programmer? > self.has_role? "Programmer" > end > > def authorized_for_delete? > puts "Testing for delete security" > # anonymous users may never destroy these/this records > return false unless current_user > # unless it's an existing record and a 'permanent' flag has been thrown > return current_user.admin? || current_user.programmer? > end > > def self.authorized_for_create? > puts "Testing for create security" > # anonymous users may never destroy these/this records > return false unless current_user > # unless it's an existing record and a 'permanent' flag has been thrown > return current_user.admin? || current_user.programmer? > end > > def authorized_for_update? > puts "Testing for update security" > # anonymous users may never destroy these/this records > return false unless current_user > # unless it's an existing record and a 'permanent' flag has been thrown > return current_user.admin? || current_user.programmer? > end > > def authorized_for_set_password? > puts "Testing for set_password security" > # anonymous users may never destroy these/this records > return false unless current_user > # unless it's an existing record and a 'permanent' flag has been thrown > return current_user.admin? || current_user.programmer? > end > end > > class UsersController < SecureController > before_filter :clear_page_status > > # Custom action to return the form for updating the password of a user > def edit_password > render :layout => false > end > > # Modify the password for a user > def set_password > @record = User.find(params[:id]) > if @record && current_user && (current_user.admin? || > current_user.programmer?) > @record.password = params[:password] > @record.save! > flash[:notice] = 'Password Set' > else > flash[:alert] = 'Unable to set password' > end > end > > # Setup the UI for the controller using ActiveScaffold config settings > active_scaffold :User do | config | > config.columns.add :password > config.columns.add :password_confirmation > infer_validations config > config.columns[:email].required = true > config.columns[:enabled].required = false > config.columns[:password_confirmation].required = true > config.list.sorting = {:login_name => :asc} > config.columns.each { | c | c.weight = 1000 } > config.columns[:login_name].weight = 100 > config.columns[:email].weight = 200 > config.columns[:enabled].weight = 300 > config.columns[:location].weight = 500 > cols = [:updated_at, :created_at, :encrypted_password, :password_salt, > :password, :password_confirmation] > config.list.columns.exclude cols.concat([:current_sign_in_ip, > :current_sign_in_at, :last_sign_in_ip, :last_sign_in_at]) > config.show.columns.exclude cols > config.show.columns.add_subgroup 'Contact' do | group | > group.add :first_name > group.add :last_name > group.add :email > group.add :contact_phone > end > config.show.columns.add_subgroup 'Last Login' do | group | > group.add :last_sign_in_ip > group.add :last_sign_in_at > end > config.show.columns.add_subgroup 'Current Login' do | group | > group.add :current_sign_in_ip > group.add :current_sign_in_at > end > config.update.columns.add_subgroup 'Contact' do | group | > group.add :first_name > group.add :last_name > group.add :email > group.add :contact_phone > end > config.create.columns.add_subgroup 'Contact' do | group | > group.add :first_name > group.add :last_name > group.add :email > group.add :contact_phone > end > config.columns[:default_language].form_ui = :select > config.columns[:location].form_ui = :select > config.columns[:roles].form_ui = :select > cols = [:current_sign_in_at, :current_sign_in_ip, :failed_attempts, > :last_sign_in_ip, > :last_sign_in_at, :encrypted_password, :password_salt, :locked_at] > config.create.columns.exclude cols > config.update.columns.exclude cols > config.update.columns.exclude [:password, :password_confirmation] > config.action_links.add :password, :label => 'Password', :position => > :after, > :type => :member, :page => false, :controller => 'users', :action => > 'edit_password' > config.columns[:default_language].clear_link > config.columns[:roles].clear_link > config.columns[:location].clear_link > end > end > > On Jan 19, 2011, at 12:33 AM, vhochstein wrote: > > > Hi Michael, > > > can you please post your model and controller. > > > -- > > Volker > > > On Jan 19, 5:06 am, Michael Latta <[email protected]> wrote: > >> I am using the rails 3 jquery fork and not seeing the actions disabled > >> when the security methods indicate they should. The operations are > >> failing because of the security methods so they are being called by the > >> operations, but not being used in controlling the actions. Currently I > >> only have Model methods, do I need controller methods in addition? > > >> Michael > > > -- > > You received this message because you are subscribed to the Google Groups > > "ActiveScaffold : Ruby on Rails plugin" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/activescaffold?hl=en. -- You received this message because you are subscribed to the Google Groups "ActiveScaffold : Ruby on Rails plugin" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/activescaffold?hl=en.
