$ mkdir app/controllers/users $ touch app/controllers/users/registrations_controller.rb
class Users::RegistrationsController < Devise::RegistrationsController before_filter :check_permissions, :only => [:new, :create, :cancel] skip_before_filter :require_no_authentication def check_permissions authorize! :create, resource end end
The check permissions method is really simple. It calls the CanCan method, authorize!, and checks if the current user can create users. We use resource here because devise uses resource to refer to the model that can be authenticated. Also notice how I removed the require_no_authentication filter, a Devise filter which allows access to actions without authentication.
# replace devise_for :users with: devise_for :users, :controllers => { :registrations => "users/registrations" }
At this point if you hit the users/sign_up page when not logged in, you will notice that a CanCan::AccessDenied is thrown. This exception is thrown anytime permission is denied so you should customize it to your liking. I put the handler in my ApplicationController:
class ApplicationController < ActionController::Base ... rescue_from CanCan::AccessDenied do |exception| flash[:error] = exception.message redirect_to root_url end ... end
class UsersController < ApplicationController before_filter :get_user, :only => [:index,:new,:edit] before_filter :accessible_roles, :only => [:new, :edit, :show, :update, :create] load_and_authorize_resource :only => [:show,:new,:destroy,:edit,:update] # GET /users # GET /users.xml # GET /users.json HTML and AJAX #----------------------------------------------------------------------- def index @users = User.accessible_by(current_ability, :index).limit(20) respond_to do |format| format.json { render :json => @users } format.xml { render :xml => @users } format.html end end # GET /users/new # GET /users/new.xml # GET /users/new.json HTML AND AJAX #------------------------------------------------------------------- def new respond_to do |format| format.json { render :json => @user } format.xml { render :xml => @user } format.html end end # GET /users/1 # GET /users/1.xml # GET /users/1.json HTML AND AJAX #------------------------------------------------------------------- def show respond_to do |format| format.json { render :json => @user } format.xml { render :xml => @user } format.html end rescue ActiveRecord::RecordNotFound respond_to_not_found(:json, :xml, :html) end # GET /users/1/edit # GET /users/1/edit.xml # GET /users/1/edit.json HTML AND AJAX #------------------------------------------------------------------- def edit respond_to do |format| format.json { render :json => @user } format.xml { render :xml => @user } format.html end rescue ActiveRecord::RecordNotFound respond_to_not_found(:json, :xml, :html) end # DELETE /users/1 # DELETE /users/1.xml # DELETE /users/1.json HTML AND AJAX #------------------------------------------------------------------- def destroy @user.destroy! respond_to do |format| format.json { respond_to_destroy(:ajax) } format.xml { head :ok } format.html { respond_to_destroy(:html) } end rescue ActiveRecord::RecordNotFound respond_to_not_found(:json, :xml, :html) end # POST /users # POST /users.xml # POST /users.json HTML AND AJAX #----------------------------------------------------------------- def create @user = User.new(params[:user]) if @user.save respond_to do |format| format.json { render :json => @user.to_json, :status => 200 } format.xml { head :ok } format.html { redirect_to :action => :index } end else respond_to do |format| format.json { render :text => "Could not create user", :status => :unprocessable_entity } # placeholder format.xml { head :ok } format.html { render :action => :new, :status => :unprocessable_entity } end end end ... # PUT /users/1 # PUT /users/1.xml # PUT /users/1.json HTML AND AJAX #---------------------------------------------------------------------------- def update if params[:user][:password].blank? [:password,:password_confirmation,:current_password].collect{|p| params[:user].delete(p) } else @user.errors[:base] << "The password you entered is incorrect" unless @user.valid_password?(params[:user][:current_password]) end respond_to do |format| if @user.errors[:base].empty? and @user.update_attributes(params[:user]) flash[:notice] = "Your account has been updated" format.json { render :json => @user.to_json, :status => 200 } format.xml { head :ok } format.html { render :action => :edit } else format.json { render :text => "Could not update user", :status => :unprocessable_entity } #placeholder format.xml { render :xml => @user.errors, :status => :unprocessable_entity } format.html { render :action => :edit, :status => :unprocessable_entity } end end rescue respond_to_not_found(:js, :xml, :html) end # FILTERS # Get roles accessible by the current user #---------------------------------------------------- def accessible_roles @accessible_roles = Role.accessible_by(current_ability,:read) end # Make the current user object available to views #---------------------------------------- def get_user @current_user = current_user end end
<h2>Register User</h2> <%= form_for(@user) do |f| %> <%= error_messages(@user,"Could not register user") %> <%= render :partial => 'user_fields', :locals => { :f => f } %> <p><%= f.label :password %></p> <p><%= f.password_field :password %></p> <p><%= f.label :password_confirmation %></p> <p><%= f.password_field :password_confirmation %></p> <p><%= f.submit "Register" %></p> <% end %>
<%= f.label :last_name %>
<%= f.text_field :last_name %>
<%= f.label :email %>
<%= f.text_field :email %>
<% if can? :read, Role %><%= f.label :role %>
-
<%= habtm_checkboxes(@user, :role_ids, @accessible_roles, :name) %>
Only allow editing of role attribute if allowed to!
<h3><%= @user == @current_user ? "Your Account Settings" : "Edit User" %></h3> <%= form_for(@user, :html => { :method => :put }) do |f| %> <%= error_messages(@user,"Could not update user") %> <%= render :partial => 'user_fields', :locals => { :f => f } %> <p><%= f.label :password %> <i>(leave blank if you don't want to change it)</i></p> <p><%= f.password_field :password %></p> <p><%= f.label :password_confirmation %></p> <p><%= f.password_field :password_confirmation %></p> <p><%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i></p> <p><%= f.password_field :current_password %></p> <p><%= f.submit "Update" %></p> <% end %> <%= link_to "Back", :back %>
<h3><%= @user.name %></h3> <%= link_to_if(can?(:update,@user), "Edit", edit_user_path(@user)) %> | <%= link_to_if(can?(:delete, @user), "Delete", user_path(@user), :confirm => "Are you sure?", :method => :delete) {} %> <table class="one-column-emphasis"> <tbody> <tr> <td class="oce-first">Email:</td> <td><%= @user.email %></td> </tr> <tr> <td class="oce-first">Role:</td> <td><%= @user.roles.first.name %></td> </tr> <% if can?(:see_timestamps,User) %> <tr> <td class="oce-first">Created at:</td> <td><%= @user.created_at %></td> </tr> <tr> <td class="oce-first">Last Sign In:</td> <td><%= @user.last_sign_in_at %></td> </tr> <tr> <td class="oce-first">Sign In Count:</td> <td><%= @user.sign_in_count %></td> </tr> <% end %> </tbody> </table>
if user.role? :admin can :see_timestamps, User elsif user.role? :normal can :see_timestamps, User, :id => user.id end
class RegistrationsController < Devise::RegistrationsController def create if verify_recaptcha super else build_resource clean_up_passwords(resource) flash[:error] = "There was an error with the recaptcha code below. Please re-enter the code and click submit." render_with_scope :new end end . . . . end
class RegistrationsController < Devise::RegistrationsController def create if session[:omniauth] == nil #OmniAuth if verify_recaptcha super session[:omniauth] = nil unless @user.new_record? #OmniAuth else build_resource clean_up_passwords(resource) flash[:error] = "There was an error with the recaptcha code below. Please re-enter the code and click submit." render_with_scope :new end else super session[:omniauth] = nil unless @user.new_record? #OmniAuth end end
Customizing The Login Requirements
Our application currently uses an email address and password to log users in, but if we want to change it so that it asks for a username instead of an email address then we can do so fairly easily.
The first thing we need to do is create a username column in the User table, which we can do by generating a migration.
$ rails generate migration add_username_to_users username:string
That done we’ll run the migration.
$ rake db:migrate
As we only have one user in the database we can quickly log in to the Rails console and set a value for the username attribute for that user.
$ rails c
Loading development environment (Rails 3.0.0.beta2)
ruby-1.8.7-p249 > User.first.update_attribute(:username, “eifion”)
=> true
Now that we’ve modified the database we need to modify devise’s configuration file, uncommenting the config.authentication_keys line and changing its value from :email to :username.
/config/initializers/devise.rb
1. config.authentication_keys = [ :username ]config.authentication_keys = [ :username ]
With this value set devise will use the username field as the authentication key. We’ll also have to modify the sign in form so that it has a username field instead of the email field.
/app/views/devise/sessions/new.html.erb
1. <% title “Sign In” %> 2. 3. <%= form_for(resource_name, resource, :url => session_path(resource_name)) do |f| %> 4.-
5.
- <%= f.label :username > <= f.text_field :username %> 6.
- <%= f.label :password > <= f.password_field :password %> 7. <% if devise_mapping.rememberable? -%> 8.
- <%= f.check_box :remember_me > <= f.label :remember_me %> 9. <% end %> 10.
- <%= f.submit “Sign in” %> 11.
<% title “Sign In” %>
<%= form_for(resource_name, resource, :url => session_path(resource_name)) do |f| >
- <= f.label :username > <= f.text_field :username >
- <= f.label :password > <= f.password_field :password >
- <%= f.check_box :remember_me > <= f.label :remember_me >
- <= f.submit “Sign in” %>
< if devise_mapping.rememberable? -%>
< end >
<% end %>
<%= render :partial => “devise/shared/links” %>
The signup form will also need to be modified and we’ll have to add validation to the User model attribute but we won’t show that here.
Once we’ve restarted the server so that the configuration changes are picked up we can visit the signin page and login with a username instead of and email address.
Another way to do this is me.com and gmail style. You allow an email or the username of the email. For public facing accounts, this has more security. Rather than allow some hacker to enter a username and then just guess the password, they would have no clue what the user’s email is. Just to make it easier on the user for logging in, allow a short form of their email to be used e.g “someone@domain.com” or just “someone” for short.
before_create :create_login
def create_login email = self.email.split(/@/) login_taken = User.where( :login => email0).first unless login_taken self.login = email0 else self.login = self.email end end def self.find_for_database_authentication(conditions) self.where(:login => conditions[:email]).first || self.where(:email => conditions[:email]).first end