Rails who is logged in

Asked 8 years, 4 months ago. Active 8 years, 4 months ago. Viewed 3k times. Improve this question. I think you should be looking at database design to come up with the answer. Your problem relates to scoping. Add a comment. Active Oldest Votes.

Improve this answer. Barna Kovacs Barna Kovacs 1, 1 1 gold badge 10 10 silver badges 34 34 bronze badges. Alex Peachey Alex Peachey 4, 19 19 silver badges 18 18 bronze badges. Your students controller obviously depends on having a current user like my code above shows and your original problem specified. The appropriate actions on the student controller should require authentication. This will redirect you to whatever you set as the redirection point in devise for failed authentication instead of giving an error.

I think you probably need to read the devise documentation some more and probably some more on rails itself. We can then verify that both the login integration test and the full test suite are green :. Now that our login form can handle invalid submissions, the next step is to handle valid submissions correctly by actually logging a user in. In Section 8. Implementing sessions will involve defining a large number of related functions for use across multiple controllers and views.

You may recall from Section 4. Conveniently, a Sessions helper module was generated automatically when generating the Sessions controller Section 8. Moreover, such helpers are automatically included in Rails views; by including the module into the base class of all controllers the Application controller , we arrange to make them available in our controllers as well Listing 8.

Logging a user in is simple with the help of the session method defined by Rails. This method is separate and distinct from the Sessions controller generated in Section 8. We can treat session as if it were a hash, and assign to it as follows:. In contrast to the persistent cookie created by the cookies method Section 8. Because temporary cookies created using the session method are automatically encrypted, the code in Listing 8. This applies only to temporary sessions initiated with the session method, though, and is not the case for persistent sessions created using the cookies method.

Permanent cookies are vulnerable to a session hijacking attack, so in Section 8. With the create action defined in Listing 8. As a first step toward enabling more visible changes, in Section 8. To find the current user, one possibility is to use the find method, as on the user profile page Listing 7. But recall from Section 6. Rather than raising an exception, this method returns nil indicating no such user if the id is invalid.

This would work fine, but it would hit the database multiple times if, e. Recalling the or operator seen in Section 4. Although at first it may seem mysterious, or equals is easy to understand by analogy. Since nil is false in a boolean context, the first assignment to foo is nil "bar" , which evaluates to "bar". Similarly, the second assignment is foo "baz" , i.

This is because anything other than nil or false is true in a boolean context, and the series of expressions terminates after the first true expression is evaluated.

This practice of evaluating expressions from left to right and stopping on the first true value is known as short-circuit evaluation. In the context of the current user, this suggests the following construction:. The first practical application of logging in involves changing the layout links based on login status. In particular, as seen in the Figure 8. Note in Figure 8. At this point, in real life I would consider writing an integration test to capture the behavior described above.

As noted in Box 3. The way to change the links in the site layout involves using an if-else statement inside embedded Ruby to show one set of links if the user is logged in and another set of links otherwise:.

A user is logged in if there is a current user in the session, i. With addition in Listing 8. There are four new links, two of which are stubbed out to be completed in Chapter 9 :. The logout link, meanwhile, uses the logout path defined in Listing 8. Putting everything together gives the updated header partial shown in Listing 8. As part of including the new links into the layout, Listing 8. At this point, you should visit the login path and log in as a valid user, which effectively tests the code in the previous three sections.

If you quit your browser completely, you should also be able to verify that the application forgets your login status, requiring you to log in again to see the changes described above.

In order to see these changes, our test needs to log in as a previously registered user, which means that such a user must already exist in the database. The default Rails way to do this is to use fixtures , which are a way of organizing data to be loaded into the test database. We discovered in Section 6. In the present case, we need only one user, whose information should consist of a valid name and email address. Referring to the data model in Figure 6. As discussed in Section 6.

By inspecting the secure password source code , we find that this method is. Using a high cost makes it computationally intractable to use the hash to determine the original password, which is an important security precaution in a production environment, but in tests we want the digest method to be as fast as possible. The secure password source code has a line for this as well:. This suggests placing the method in user. With the digest method from Listing 8.

Unfortunately, this is impossible to arrange with fixtures, and adding a password attribute to Listing 8. Here users corresponds to the fixture filename users. With the fixture user as above, we can now write a test for the layout links by converting the sequence enumerated at the beginning of this section into code, as shown in Listing 8. Listing 8. Compare to count: 2 in Listing 5.

Because the application code was already working, this test should be green :. Although our authentication system is now working, newly registered users might be confused, as they are not logged in by default. To test the behavior from Listing 8. At this point, the test suite should still be green :. As discussed in Section 8. So far, the Sessions controller actions have followed the RESTful convention of using new for a login page and create to complete the login.

Unlike the login functionality, which we use in both Listing 8. To test the logout machinery, we can add some steps to the user login test from Listing 8. We also check that the login link reappears and that the logout and profile links disappear. The new steps appear in Listing 8. The login system we finished in Section 8. Both of these models are professional-grade, with the first used by sites such as GitHub and Bitbucket , and the second used by sites such as Facebook and Twitter.

As noted in Section 8. In particular, persistent cookies are vulnerable to session hijacking , in which an attacker uses a stolen remember token to log in as a particular user. There are four main ways to steal cookies: 1 using a packet sniffer to detect cookies being passed over insecure networks, 15 2 compromising a database containing remember tokens, 3 using cross-site scripting XSS , and 4 gaining physical access to a machine with a logged-in user. We prevented the first problem in Section 7.

Rails automatically prevents the third problem by escaping any content inserted into view templates. With these design and security considerations in mind, our plan for creating persistent sessions appears as follows:.

Note how similar the final step is to logging a user in, where we retrieve the user by email address and then verify using the authenticate method that the submitted password matches the password digest Listing 8. To add the data model from Figure 8. Compare to the password digest migration in Section 6. Now we have to decide what to use as a remember token. There are many mostly equivalent possibilities—essentially, any long random string will do. A typical base64 string appears as follows:.

Remembering users involves creating a remember token and saving the digest of the token to the database. Our plan for the implementation is to make a user. Because of the migration in Listing 8. We need a way to make a token available via user. We solved a similar issue with secure passwords in Section 6. Note the form of the assignment in the first line of the remember method.

As noted in Section 6. With these considerations in mind, we can create a valid token and associated digest by first making a new remember token using User. This procedure gives the remember method shown in Listing 8.

Having created a working user. The way to do this is with the cookies method, which as with session we can treat as a hash. Introduce devise in Rails to implement user management functionality. How to get information about associated tables in many-to-many tables. Organized how to interact with the JDK in stages. How to get started with creating a Rails app. Edit user information with Devise. How to get values in real time with TextWatcher Android.

Super easy in 2 steps! How to get started with slim. How to get parameters in Spark. How to introduce jQuery in Rails 6. Memo that transitions to the login screen if you are not logged in with devise.

How to install Swiper in Rails. How to rename a model with foreign key constraints in Rails. How to store the information entered in textarea in a variable in the method.