Rails%203%20In%20Action

More documents

Recommendations

Info

Restricting read access you may have a large number of projects and want to assign a user to only one of them. Whitelist authorization involves fewer steps in restricting a user to one project. A good way to think about whitelist authorization is as the kind of list a security guard would have at an event. If you’re not on the list, you don’t get in. A blacklist comparison would be if the security guard had a list of people who weren’t allowed in. This chapter guides you through restricting access to the CRUD operations of TicketsController one by one, starting with reading and then moving into creating, updating, and deleting. Any time users want to perform one of these actions, they must be granted permission to do so, or added to “the list.” During this process, you’ll see another gem called CanCan, which provides some methods for your controllers and views that help you check the current user’s permission to perform a specific action. You first set up permissions through the Cucumber features, and once you’re done with restricting the actions in your controller, you’ll generate functionality in the backend to allow administrators of the application to assign permissions to users. 8.1 Restricting read access A time comes in every ticket-tracking application’s life when it’s necessary to restrict which users can see which projects. For example, you could be operating in a consultancy where some people are working on one application, and others are working on another. You want the admins of the application to be able to customize which projects each user can see. First, you create a model called Permission that tracks which users have which permissions for which actions. Before you create that model, you must update one of your Viewing Projects features to make sure only users who have permission to view a project are able to do so. Add a background and change the scenario in this feature to set up a user with the correct permissions, and then make the user visit that project, changing the code in the scenario in this feature to what is shown in the following listing. Listing 8.1 features/viewing_projects.feature Background: Given there are the following users: | email | password | | user@ticketee.com | password | And I am signed in as them And there is a project called "TextMate 2" And "user@ticketee.com" can view the "TextMate 2" project Scenario: Listing all projects And I am on the homepage When I follow "TextMate 2" Then I should be on the project page for "TextMate 2" You’ve effectively rewritten a large portion of this feature, which is common practice when implementing such large changes. B 165 Let user view project
166 CHAPTER 8 More authorization Underneath the there is a project step in the Background for this feature is a new step B. It’s responsible for giving the specified user access to the specified project, but not just any permission: permission to view the project. This step is currently undefined, so when you run bin/cucumber features/viewing_projects.feature, you get the step definition for it: Given /^"([^"]*)" can view the "([^"]*)" project$/ do |arg1, arg2| pending # express the regexp above with the code you wish you had end To implement this step, you use the not-yet-existent Permission model, which stores the permissions in the database. This model needs a related table called permissions, which contains three fields. The first field is the action field, which keeps track of the type of permission a user has on particular objects. The objects can be of different types, so you must create two fields to track the association to the object: thing_type and thing_id. This kind of association is called a polymorphic association, poly meaning “many” and morphic meaning “forms,” which is fitting. You’ll see more on these in a little while. One more field you add to this permissions table is a user_id column linking that Permission to a User. With all of that in mind, you can define this step in a new file at features/ step_definitions/permission_steps.rb, as shown in the following listing. Listing 8.2 features/step_definitions/permission_steps.rb Given /^"([^"]*)" can view the "([^"]*)" project$/ do |user, project| Permission.create!(:user => User.find_by_email!(user), :thing => Project.find_by_name!(project), :action => "view") end In listing 8.2, you create a new Permission record with the action defined as view linking the project and user passed in. This record defines the users who can access the project. When you run this feature, you get an error because the Permission class is not yet defined: And "user@ticketee.com" can view the "TextMate 2" project uninitialized constant Permission (NameError) Define it now by generating the model using the following command, typed all on one line: rails generate model permission user_id:integer thing_id:integer thing_type:string action:string With this model and its related migration, you can run rake db:migrate and rake db:test:prepare to set up the development and test databases. When you run your feature again, you get this error message: And "user@ticketee.com" can view the "TextMate 2" project unknown attribute: user (ActiveRecord::UnknownAttributeError)
Page 1 and 2:
IN ACTION Ryan Bigg Yehuda Katz MAN
Page 4 and 5:
Rails 3 in Action RYAN BIGG YEHUDA
Page 6:
1 ■ Ruby on Rails, the framework
Page 9 and 10:
viii 3 4 5 6 CONTENTS Developing a
Page 11 and 12:
x 9 10 CONTENTS 8.5 Restricting wri
Page 13 and 14:
xii 13 14 CONTENTS 12.2 Subscribing
Page 15 and 16:
xiv 18 CONTENTS 17.4 Setting up a t
Page 17 and 18:
xvi PREFACE cover. It also takes a
Page 19 and 20:
xviii ACKNOWLEDGMENTS gnarly ePub R
Page 21 and 22:
xx about this book Ruby on Rails is
Page 23 and 24:
xxii ABOUT THIS BOOK By chapter 16,
Page 25 and 26:
about the cover illustration The fi
Page 27 and 28:
2 CHAPTER 1 Ruby on Rails, the fram
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
10 CHAPTER 1 Ruby on Rails, the fra
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
24 CHAPTER 2 Testing saves your bac
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
This chapter covers � Building th
Page 71 and 72:
46 CHAPTER 3 Developing a real Rail
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
84 CHAPTER 4 Oh CRUD! 4.1.1 Writing
Page 111 and 112:
86 CHAPTER 4 Oh CRUD! Aha! You’re
Page 113 and 114:
88 CHAPTER 4 Oh CRUD! 4.2 Editing p
Page 115 and 116:
90 CHAPTER 4 Oh CRUD! 4.2.2 The upd
Page 117 and 118:
92 CHAPTER 4 Oh CRUD! 4.3.1 Writing
Page 119 and 120:
94 CHAPTER 4 Oh CRUD! Figure 4.1 Ac
Page 121 and 122:
96 CHAPTER 4 Oh CRUD! F When the te
Page 123 and 124:
98 CHAPTER 4 Oh CRUD! functionality
Page 125 and 126:
100 CHAPTER 5 Nested resources New
Page 127 and 128:
102 CHAPTER 5 Nested resources an e
Page 129 and 130:
104 CHAPTER 5 Nested resources 5.1.
Page 131 and 132:
106 CHAPTER 5 Nested resources Then
Page 133 and 134:
108 CHAPTER 5 Nested resources Grea
Page 135 and 136:
110 CHAPTER 5 Nested resources see
Page 137 and 138:
112 CHAPTER 5 Nested resources The
Page 139 and 140: 114 CHAPTER 5 Nested resources Agai
Page 141 and 142: 116 CHAPTER 5 Nested resources show
Page 143 and 144: 118 CHAPTER 6 Authentication and ba
Page 161 and 162: This chapter covers � Adding an a
Page 163 and 164: 138 CHAPTER 7 Basic access control
Page 189: This chapter covers � Expanding w
Page 193 and 194: 168 CHAPTER 8 More authorization pe
Page 195 and 196: 170 CHAPTER 8 More authorization Th
Page 197 and 198: 172 CHAPTER 8 More authorization ..
Page 201 and 202: 176 CHAPTER 8 More authorization 8.
Page 203 and 204: 178 CHAPTER 8 More authorization Re
Page 205 and 206: 180 CHAPTER 8 More authorization Cr
Page 209 and 210: 184 CHAPTER 8 More authorization De
Page 211 and 212: 186 CHAPTER 8 More authorization De
Page 213 and 214: 188 CHAPTER 8 More authorization To
Page 219 and 220: 194 CHAPTER 8 More authorization Yo
Page 221 and 222: 196 CHAPTER 8 More authorization cu
Page 223 and 224: 198 CHAPTER 8 More authorization
Page 227 and 228: 202 CHAPTER 8 More authorization Li
Page 229 and 230: 204 CHAPTER 8 More authorization
Page 231 and 232: 206 CHAPTER 8 More authorization Si
Page 233 and 234: 208 CHAPTER 8 More authorization Li
Page 237 and 238: 212 CHAPTER 8 More authorization 45
Page 239 and 240: 214 CHAPTER 9 File uploading By pro
Page 241 and 242:
216 CHAPTER 9 File uploading that t
Page 243 and 244:
218 CHAPTER 9 File uploading remove
Page 245 and 246:
220 CHAPTER 9 File uploading This f
Page 247 and 248:
222 CHAPTER 9 File uploading asset
Page 249 and 250:
224 CHAPTER 9 File uploading 9.2.2
Page 251 and 252:
226 CHAPTER 9 File uploading you ha
Page 253 and 254:
228 CHAPTER 9 File uploading sign_i
Page 255 and 256:
230 CHAPTER 9 File uploading When y
Page 257 and 258:
232 CHAPTER 9 File uploading You co
Page 259 and 260:
234 CHAPTER 9 File uploading The /a
Page 261 and 262:
236 CHAPTER 9 File uploading When y
Page 263 and 264:
238 CHAPTER 9 File uploading Open a
Page 265 and 266:
240 CHAPTER 9 File uploading This i
Page 267 and 268:
242 CHAPTER 9 File uploading After
Page 269 and 270:
244 CHAPTER 10 Tracking state used,
Page 271 and 272:
246 CHAPTER 10 Tracking state group
Page 273 and 274:
248 CHAPTER 10 Tracking state Listi
Page 275 and 276:
250 CHAPTER 10 Tracking state end @
Page 277 and 278:
252 CHAPTER 10 Tracking state With
Page 279 and 280:
254 CHAPTER 10 Tracking state which
Page 281 and 282:
256 CHAPTER 10 Tracking state The f
Page 283 and 284:
258 CHAPTER 10 Tracking state class
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
264 CHAPTER 10 Tracking state Good,
Page 291 and 292:
266 CHAPTER 10 Tracking state You c
Page 293 and 294:
268 CHAPTER 10 Tracking state You h
Page 295 and 296:
270 CHAPTER 10 Tracking state You
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
276 CHAPTER 10 Tracking state def m
Page 303 and 304:
278 CHAPTER 10 Tracking state 10.5
Page 305 and 306:
280 CHAPTER 10 Tracking state 33 of
Page 307 and 308:
282 CHAPTER 10 Tracking state 10.5.
Page 309 and 310:
284 CHAPTER 10 Tracking state it "c
Page 311 and 312:
This chapter covers � Tagging spe
Page 313 and 314:
288 CHAPTER 11 Tagging And I press
Page 315 and 316:
290 CHAPTER 11 Tagging To define th
Page 317 and 318:
292 CHAPTER 11 Tagging 11.2 Adding
Page 319 and 320:
294 CHAPTER 11 Tagging 11.2.2 Fixin
Page 321 and 322:
296 CHAPTER 11 Tagging Because the
Page 323 and 324:
298 CHAPTER 11 Tagging ment from th
Page 325 and 326:
300 CHAPTER 11 Tagging true, :url
Page 327 and 328:
302 CHAPTER 11 Tagging get there pr
Page 329 and 330:
304 CHAPTER 11 Tagging And I follow
Page 331 and 332:
306 CHAPTER 11 Tagging The :from op
Page 333 and 334:
308 CHAPTER 11 Tagging This is beca
Page 335 and 336:
310 CHAPTER 11 Tagging into this:
Page 337 and 338:
This chapter covers � Sending ema
Page 339 and 340:
314 CHAPTER 12 Sending email To tes
Page 341 and 342:
316 CHAPTER 12 Sending email Let’
Page 343 and 344:
318 CHAPTER 12 Sending email Now th
Page 345 and 346:
320 CHAPTER 12 Sending email the em
Page 347 and 348:
322 CHAPTER 12 Sending email Great
Page 349 and 350:
324 CHAPTER 12 Sending email messag
Page 351 and 352:
326 CHAPTER 12 Sending email A B cr
Page 353 and 354:
328 CHAPTER 12 Sending email Next,
Page 355 and 356:
330 CHAPTER 12 Sending email As usu
Page 357 and 358:
332 CHAPTER 12 Sending email When y
Page 359 and 360:
334 CHAPTER 12 Sending email applic
Page 361 and 362:
336 CHAPTER 12 Sending email Listin
Page 363 and 364:
338 CHAPTER 12 Sending email To ins
Page 365 and 366:
340 CHAPTER 12 Sending email 12.4 R
Page 367 and 368:
342 CHAPTER 12 Sending email 12.4.2
Page 369 and 370:
344 CHAPTER 12 Sending email When y
Page 371 and 372:
346 CHAPTER 12 Sending email By sen
Page 373 and 374:
348 CHAPTER 13 Designing an API One
Page 375 and 376:
350 CHAPTER 13 Designing an API cri
Page 377 and 378:
352 CHAPTER 13 Designing an API RSp
Page 379 and 380:
354 CHAPTER 13 Designing an API ] }
Page 381 and 382:
356 CHAPTER 13 Designing an API In
Page 383 and 384:
358 CHAPTER 13 Designing an API Boo
Page 385 and 386:
360 CHAPTER 13 Designing an API 13.
Page 387 and 388:
362 CHAPTER 13 Designing an API Thi
Page 389 and 390:
364 CHAPTER 13 Designing an API err
Page 391 and 392:
366 CHAPTER 13 Designing an API To
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
372 CHAPTER 13 Designing an API @pr
Page 399 and 400:
374 CHAPTER 13 Designing an API The
Page 401 and 402:
376 CHAPTER 13 Designing an API Lis
Page 403 and 404:
378 CHAPTER 13 Designing an API You
Page 405 and 406:
Page 407 and 408:
382 CHAPTER 13 Designing an API you
Page 409 and 410:
384 CHAPTER 13 Designing an API git
Page 411 and 412:
386 CHAPTER 14 Deployment done. Thi
Page 413 and 414:
388 CHAPTER 14 Deployment useradd -
Page 415 and 416:
390 CHAPTER 14 Deployment rvm group
Page 417 and 418:
392 CHAPTER 14 Deployment To be as
Page 419 and 420:
394 CHAPTER 14 Deployment service s
Page 421 and 422:
396 CHAPTER 14 Deployment 14.5.1 De
Page 423 and 424:
398 CHAPTER 14 Deployment The final
Page 425 and 426:
400 CHAPTER 14 Deployment With the
Page 427 and 428:
402 CHAPTER 14 Deployment executing
Page 429 and 430:
404 CHAPTER 14 Deployment The first
Page 431 and 432:
406 CHAPTER 14 Deployment You can e
Page 433 and 434:
408 CHAPTER 14 Deployment Once Rail
Page 435 and 436:
410 CHAPTER 14 Deployment This mean
Page 437 and 438:
This chapter covers � Authenticat
Page 439 and 440:
414 CHAPTER 15 Alternative authenti
Page 441 and 442:
Page 443 and 444:
Page 445 and 446:
Page 447 and 448:
Page 449 and 450:
Page 451 and 452:
Page 453 and 454:
Page 455 and 456:
Page 457 and 458:
Page 459 and 460:
This chapter covers � Implementin
Page 461 and 462:
436 CHAPTER 16 Basic performance en
Page 463 and 464:
Page 465 and 466:
Page 467 and 468:
Page 469 and 470:
Page 471 and 472:
Page 473 and 474:
Page 475 and 476:
Page 477 and 478:
Page 479 and 480:
Page 481 and 482:
Page 483 and 484:
Page 485 and 486:
Page 487 and 488:
Page 489 and 490:
Page 491 and 492:
Page 493 and 494:
This chapter covers � The importa
Page 495 and 496:
470 CHAPTER 17 Engines copy over as
Page 497 and 498:
472 CHAPTER 17 Engines With that sa
Page 499 and 500:
474 CHAPTER 17 Engines Obviously, y
Page 501 and 502:
476 CHAPTER 17 Engines This file’
Page 503 and 504:
478 CHAPTER 17 Engines 2. Goes thro
Page 505 and 506:
480 CHAPTER 17 Engines This is real
Page 507 and 508:
482 CHAPTER 17 Engines s.add_develo
Page 509 and 510:
484 CHAPTER 17 Engines The click_li
Page 511 and 512:
486 CHAPTER 17 Engines This code ha
Page 513 and 514:
488 CHAPTER 17 Engines You’re mis
Page 515 and 516:
490 CHAPTER 17 Engines NOTE We’re
Page 517 and 518:
492 CHAPTER 17 Engines 17.5.8 Showi
Page 519 and 520:
494 CHAPTER 17 Engines Listing 17.9
Page 521 and 522:
496 CHAPTER 17 Engines Note that th
Page 523 and 524:
498 CHAPTER 17 Engines your applica
Page 525 and 526:
500 CHAPTER 17 Engines 17.7.2 A fak
Page 527 and 528:
502 CHAPTER 17 Engines forem_user;
Page 529 and 530:
504 CHAPTER 17 Engines You don’t
Page 531 and 532:
506 CHAPTER 17 Engines This is the
Page 533 and 534:
508 CHAPTER 17 Engines Because you
Page 535 and 536:
510 CHAPTER 17 Engines Listing 17.1
Page 537 and 538:
512 CHAPTER 17 Engines 17.8 Releasi
Page 539 and 540:
514 CHAPTER 17 Engines This task ac
Page 541 and 542:
This chapter covers � Building a
Page 543 and 544:
518 CHAPTER 18 Rack-based applicati
Page 545 and 546:
Page 547 and 548:
Page 549 and 550:
Page 551 and 552:
Page 553 and 554:
Page 555 and 556:
Page 557 and 558:
Page 559 and 560:
Page 561 and 562:
Page 563 and 564:
Page 565 and 566:
Page 567 and 568:
542 APPENDIX A Why Rails? it helps
Page 569 and 570:
544 APPENDIX A Why Rails? with thei
Page 571 and 572:
546 appendix B Tidbits This appendi
Page 573 and 574:
548 APPENDIX B Tidbits You should g
Page 576 and 577:
Special characters and numbers $ fu
Page 578 and 579:
authentication (continued) OAuth, 4
Page 580 and 581:
CSRF (cross-site request forgery) a
Page 582 and 583:
find_or_create_for_twitter method,
Page 584 and 585:
last_post method, 510 last_ticket m
Page 586 and 587:
Project.for method, 531 projects, 5
Page 588 and 589:
searching by state, 305-309 testing
Page 590 and 591:
toggle_watching_button method, 330
Page 592:
WEB DEVELOPMENT/RUBY R ails Rails 3
show all

Rails%203%20In%20Action

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?