$ mkdir app/controllers/users $ touch app/controllers/users/registrations_controller.rb
class Users::RegistrationsController < Devise::RegistrationsController
before_filter :check_permissions, :only => [:new, :create, :cancel]
skip_before_filter :require_no_authentication
def check_permissions
authorize! :create, resource
end
end
The check permissions method is really simple. It calls the CanCan method, authorize!, and checks if the current user can create users. We use resource here because devise uses resource to refer to the model that can be authenticated. Also notice how I removed the require_no_authentication filter, a Devise filter which allows access to actions without authentication.
# replace devise_for :users with:
devise_for :users, :controllers => { :registrations => "users/registrations" }
At this point if you hit the users/sign_up page when not logged in, you will notice that a CanCan::AccessDenied is thrown. This exception is thrown anytime permission is denied so you should customize it to your liking. I put the handler in my ApplicationController:
class ApplicationController < ActionController::Base
...
rescue_from CanCan::AccessDenied do |exception|
flash[:error] = exception.message
redirect_to root_url
end
...
end
class UsersController < ApplicationController
before_filter :get_user, :only => [:index,:new,:edit]
before_filter :accessible_roles, :only => [:new, :edit, :show, :update, :create]
load_and_authorize_resource :only => [:show,:new,:destroy,:edit,:update]
# GET /users
# GET /users.xml
# GET /users.json HTML and AJAX
#-----------------------------------------------------------------------
def index
@users = User.accessible_by(current_ability, :index).limit(20)
respond_to do |format|
format.json { render :json => @users }
format.xml { render :xml => @users }
format.html
end
end
# GET /users/new
# GET /users/new.xml
# GET /users/new.json HTML AND AJAX
#-------------------------------------------------------------------
def new
respond_to do |format|
format.json { render :json => @user }
format.xml { render :xml => @user }
format.html
end
end
# GET /users/1
# GET /users/1.xml
# GET /users/1.json HTML AND AJAX
#-------------------------------------------------------------------
def show
respond_to do |format|
format.json { render :json => @user }
format.xml { render :xml => @user }
format.html
end
rescue ActiveRecord::RecordNotFound
respond_to_not_found(:json, :xml, :html)
end
# GET /users/1/edit
# GET /users/1/edit.xml
# GET /users/1/edit.json HTML AND AJAX
#-------------------------------------------------------------------
def edit
respond_to do |format|
format.json { render :json => @user }
format.xml { render :xml => @user }
format.html
end
rescue ActiveRecord::RecordNotFound
respond_to_not_found(:json, :xml, :html)
end
# DELETE /users/1
# DELETE /users/1.xml
# DELETE /users/1.json HTML AND AJAX
#-------------------------------------------------------------------
def destroy
@user.destroy!
respond_to do |format|
format.json { respond_to_destroy(:ajax) }
format.xml { head :ok }
format.html { respond_to_destroy(:html) }
end
rescue ActiveRecord::RecordNotFound
respond_to_not_found(:json, :xml, :html)
end
# POST /users
# POST /users.xml
# POST /users.json HTML AND AJAX
#-----------------------------------------------------------------
def create
@user = User.new(params[:user])
if @user.save
respond_to do |format|
format.json { render :json => @user.to_json, :status => 200 }
format.xml { head :ok }
format.html { redirect_to :action => :index }
end
else
respond_to do |format|
format.json { render :text => "Could not create user", :status => :unprocessable_entity } # placeholder
format.xml { head :ok }
format.html { render :action => :new, :status => :unprocessable_entity }
end
end
end
...
# PUT /users/1
# PUT /users/1.xml
# PUT /users/1.json HTML AND AJAX
#----------------------------------------------------------------------------
def update
if params[:user][:password].blank?
[:password,:password_confirmation,:current_password].collect{|p| params[:user].delete(p) }
else
@user.errors[:base] << "The password you entered is incorrect" unless @user.valid_password?(params[:user][:current_password])
end
respond_to do |format|
if @user.errors[:base].empty? and @user.update_attributes(params[:user])
flash[:notice] = "Your account has been updated"
format.json { render :json => @user.to_json, :status => 200 }
format.xml { head :ok }
format.html { render :action => :edit }
else
format.json { render :text => "Could not update user", :status => :unprocessable_entity } #placeholder
format.xml { render :xml => @user.errors, :status => :unprocessable_entity }
format.html { render :action => :edit, :status => :unprocessable_entity }
end
end
rescue
respond_to_not_found(:js, :xml, :html)
end
# FILTERS
# Get roles accessible by the current user
#----------------------------------------------------
def accessible_roles
@accessible_roles = Role.accessible_by(current_ability,:read)
end
# Make the current user object available to views
#----------------------------------------
def get_user
@current_user = current_user
end
end
<h2>Register User</h2>
<%= form_for(@user) do |f| %>
<%= error_messages(@user,"Could not register user") %>
<%= render :partial => 'user_fields', :locals => { :f => f } %>
<p><%= f.label :password %></p>
<p><%= f.password_field :password %></p>
<p><%= f.label :password_confirmation %></p>
<p><%= f.password_field :password_confirmation %></p>
<p><%= f.submit "Register" %></p>
<% end %>
<%= f.label :last_name %>
<%= f.text_field :last_name %>
<%= f.label :email %>
<%= f.text_field :email %>
<% if can? :read, Role %><%= f.label :role %>
-
<%= habtm_checkboxes(@user, :role_ids, @accessible_roles, :name) %>
Only allow editing of role attribute if allowed to!
<h3><%= @user == @current_user ? "Your Account Settings" : "Edit User" %></h3>
<%= form_for(@user, :html => { :method => :put }) do |f| %>
<%= error_messages(@user,"Could not update user") %>
<%= render :partial => 'user_fields', :locals => { :f => f } %>
<p><%= f.label :password %> <i>(leave blank if you don't want to change it)</i></p>
<p><%= f.password_field :password %></p>
<p><%= f.label :password_confirmation %></p>
<p><%= f.password_field :password_confirmation %></p>
<p><%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i></p>
<p><%= f.password_field :current_password %></p>
<p><%= f.submit "Update" %></p>
<% end %>
<%= link_to "Back", :back %>
<h3><%= @user.name %></h3>
<%= link_to_if(can?(:update,@user), "Edit", edit_user_path(@user)) %> |
<%= link_to_if(can?(:delete, @user), "Delete", user_path(@user), :confirm => "Are you sure?", :method => :delete) {} %>
<table class="one-column-emphasis">
<tbody>
<tr>
<td class="oce-first">Email:</td>
<td><%= @user.email %></td>
</tr>
<tr>
<td class="oce-first">Role:</td>
<td><%= @user.roles.first.name %></td>
</tr>
<% if can?(:see_timestamps,User) %>
<tr>
<td class="oce-first">Created at:</td>
<td><%= @user.created_at %></td>
</tr>
<tr>
<td class="oce-first">Last Sign In:</td>
<td><%= @user.last_sign_in_at %></td>
</tr>
<tr>
<td class="oce-first">Sign In Count:</td>
<td><%= @user.sign_in_count %></td>
</tr>
<% end %>
</tbody>
</table>
if user.role? :admin
can :see_timestamps, User
elsif user.role? :normal
can :see_timestamps, User, :id => user.id
end
class RegistrationsController < Devise::RegistrationsController
def create
if verify_recaptcha
super
else
build_resource
clean_up_passwords(resource)
flash[:error] = "There was an error with the recaptcha code below. Please re-enter the code and click submit."
render_with_scope :new
end
end
.
.
.
.
end
class RegistrationsController < Devise::RegistrationsController
def create
if session[:omniauth] == nil #OmniAuth
if verify_recaptcha
super
session[:omniauth] = nil unless @user.new_record? #OmniAuth
else
build_resource
clean_up_passwords(resource)
flash[:error] = "There was an error with the recaptcha code below. Please re-enter the code and click submit."
render_with_scope :new
end
else
super
session[:omniauth] = nil unless @user.new_record? #OmniAuth
end
end
Customizing The Login Requirements
Our application currently uses an email address and password to log users in, but if we want to change it so that it asks for a username instead of an email address then we can do so fairly easily.
The first thing we need to do is create a username column in the User table, which we can do by generating a migration.
$ rails generate migration add_username_to_users username:string
That done we’ll run the migration.
$ rake db:migrate
As we only have one user in the database we can quickly log in to the Rails console and set a value for the username attribute for that user.
$ rails c
Loading development environment (Rails 3.0.0.beta2)
ruby-1.8.7-p249 > User.first.update_attribute(:username, “eifion”)
=> true
Now that we’ve modified the database we need to modify devise’s configuration file, uncommenting the config.authentication_keys line and changing its value from :email to :username.
/config/initializers/devise.rb
1. config.authentication_keys = [ :username ]config.authentication_keys = [ :username ]
With this value set devise will use the username field as the authentication key. We’ll also have to modify the sign in form so that it has a username field instead of the email field.
/app/views/devise/sessions/new.html.erb
1. <% title “Sign In” %> 2. 3. <%= form_for(resource_name, resource, :url => session_path(resource_name)) do |f| %> 4.-
5.
- <%= f.label :username > <= f.text_field :username %> 6.
- <%= f.label :password > <= f.password_field :password %> 7. <% if devise_mapping.rememberable? -%> 8.
- <%= f.check_box :remember_me > <= f.label :remember_me %> 9. <% end %> 10.
- <%= f.submit “Sign in” %> 11.
<% title “Sign In” %>
<%= form_for(resource_name, resource, :url => session_path(resource_name)) do |f| >
- <= f.label :username > <= f.text_field :username >
- <= f.label :password > <= f.password_field :password >
- <%= f.check_box :remember_me > <= f.label :remember_me >
- <= f.submit “Sign in” %>
< if devise_mapping.rememberable? -%>
< end >
<% end %>
<%= render :partial => “devise/shared/links” %>
The signup form will also need to be modified and we’ll have to add validation to the User model attribute but we won’t show that here.
Once we’ve restarted the server so that the configuration changes are picked up we can visit the signin page and login with a username instead of and email address.
Another way to do this is me.com and gmail style. You allow an email or the username of the email. For public facing accounts, this has more security. Rather than allow some hacker to enter a username and then just guess the password, they would have no clue what the user’s email is. Just to make it easier on the user for logging in, allow a short form of their email to be used e.g “[email protected]” or just “someone” for short.
before_create :create_login
def create_login email = self.email.split(/@/) login_taken = User.where( :login => email0).first unless login_taken self.login = email0 else self.login = self.email end end def self.find_for_database_authentication(conditions) self.where(:login => conditions[:email]).first || self.where(:email => conditions[:email]).first end