Codeplace | User Authorization in Ruby on Rails using CanCan

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone welcome to another tutorial today I'm going to teach you about can can authorization what is can-can what I have here I have it open the official repository or at github can-can as by definition as you can see here is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access I mean this pretty much explains what can-can is but not only restricts the resources but but also the so that you can understand that the different actions within each resource I can explain you a better if I just show you the app we're going to build this is it this is a localhost the home page is just a sign-in button just to force you to sign in and I have to account setup so let me actually login with a second one okay this is the app so it's just a simple forum when you can ask questions and get some answers so each blue rectangle here is a different question and as you can see here I'm I'm the second user so the two at gmail.com this question was made by me was asked by me as you can see here so I can add it and destroy but if you see here this one what's the color of the cat this was added by the first user so I have I'm not allowed to edit or destroy as well as the answers as you can see here this Kevin answer was given by me so I can delete it but the Paul it was it was not so I have not I'm not allowed to to do anything with it as well as the red it's not mine but I have no idea the one if it is so I can delete it I can every user can create a different question so let me just put another question as you can see here or type some answers as you can see so this is basically basically what can-can allows you to do just allows you to specify what which resource or action does the current a user is allowed to access so at the left thing let me show you just the first user and why the reason why is because this user has the the admin privileges so you can see here you can do everything you can delete or edit and each one of the resources as you can see okay so this is what we're going to build so let's begin okay so let's begin create the new rails app open the terminal type rails Leo let's call it my forum so I'm going to try and do this as fast as I can since all the but all the concepts that are going to be it you're going to see in this tutorial I have already been covered in previous tasks so I encourage you to see them if you find it difficult to follow along so let's start with the device implementation so in here I have it open let's go to the getting started section ok gem device let's go okay let's open our our sublime my forum app okay gem file face device now bundle install the last thing we need to do Oh first we need to go to our directory okay now bundle install okay it's done now let's install it this command you have to type in your terminal ok it's created now let's generate the model so device let's call it user ok everything is done go and check here we already have the migration and I want to have to add an extra an extra field here which is called admin so the boolean we want the true or false and the field is admin ok so this is we could close this we don't need now will have let's generate a scaffold for questions so we're going to have two resources main resource so the one is the first one is questions and there the second one is answer so let's rails gee scaffold question and in the table we want just the column of content and the type is string ok let's press ENTER creating all the files now less rails gee model let's generate a model called answer we just needed the model the in table our column is content and the type is sorry so many typos is text ok so we just want a model for the for the answer resource we're going to create the controller afterwards so now the next thing we need to do is to add the relationships between the models so let's open the three models at once so the user is going to have many so has many questions ok now the question of course will belong to user sense now stay on the questions will have many answers the other the question will is going to have many questions now on the answer side we know that it belongs to question and as well as the user okay we just need to add has many and on the user model of course so this is these are all the relationships this testing that is make it more readable and with that this is all we need to do as far as relationships or concern so we can close the files here and now the next thing we need to do is to add some fields here to reference the the the the in this case the answer we want to reference the question ID as well as the user ID okay and their questions we want to reference the user ID okay all the migrations are set now we can now we can close this and let's migrate the table there actually no sorry before let's generate the home controller so we can redirect the user accordingly is signing status so the rails G controller home and just want to index action okay let's clear now in here I want to change these two things the first one is the index page in here sorry the the home controller the index action in here and the in here we don't want anything actually can delete everything from the view because we cannot put it right here on the layouts the application dot HTML okay so let me just copy some code I have here I'm going to explain it what we want to do in here is very simple we just want to add this if statement so if the user is signed and this is the method from device a helper method we wanted to redirect him to the questions path okay if the user is signing on the application view we want to do pretty standard condition here which is not anything that you haven't seen before so if the user is signed in we want to display welcome and in the current user email and the link to log out and if it's not we want to put the link to sign in okay so it's all said and done we can migrate the the database already but since we are here we might as well in config the routes so we want to change this to route instead of get so this is the home page here and now we want to a nested resource so we wanted a question or else we want the some answers to be a part of that question and so when do you have a nested routes so the way to do this is put it like this so I'm not going to cover it as much because I already did in a previous tutorial but it's something like this resources questions do resources answers this is going to link the these two together okay this is all there is to the routes section and I think we can now migrate the table there the database okay also okay know where is all the three tables were created let's add the now the the answers comes also good as we have already there the questions all set up let's let's add a controller for the answers so let's add here a new file let's call it answers underscore controller our Beach and let's add a folder here for the respective views of course so answers okay now in here and the answers controller I'm going to paste some code I have then it's very simple very straightforward just put it here I'm going to explain it so it just have the create in the destroy action and you can see as we've kept Daniel or as we did already it's just making answers through the questions so link them link the answers to that to a respective question and in in here is the same thing and of course the private method to set the programs this is all things that you have seen so far I'm sure um now what we need to do is create a partial in here so that it can be a display each answer so it would answer the HTML at our Beach it's going to be the partial in here before I populate the partial let me let me show you the index view of VM of the question so we go I'm going to replace this with code that I already have I'm going to explain it so let's go here delete all of this and replace this go it's not too much so in here is the same thing new question but now for each question we have here I wanted to give up knock title is content so I want to to to keep take letter content of the question I'll do to use this I I use these Ruby method here this helper is to say via the time ago so when it was created so displaying the created add field in here and by by whom and now I have in next I have two links the edit and destroy and now if if it fix if that question has any answers so display them in here display the partial this partial here but I'm going to populate by now afterwards just have a scene the simplest form here to add a question an answer to that question okay let's just have the partial here I'm gonna paste some code here as you can see all in the same P tag it's just the answer that content and afterwards the link to delete that content so let's see what we have so far I pretty much think we have the app completely made let's just check it out okay so the sign-in button FD homepage has we don't have any users so let me just have the first user okay let's add the under DNA the other user as well so far not login but sign up password password okay I have two users now if I type a question okay so some question the what did I did what did I go wrong oh I know what I have I forgot I forgot one thing in here I don't want this create this is not what I want but I actually want is to set the user to the current user because I want to link the question to the user the same the same thing as the the answer to the question I want to do the same thing into the question to the user so I want to link the question to the user as well so the way to do this you put that you assign the current user to this variable here now we do the question is equals the user not question but questions not billed okay this is going to link the question to that user so let me let me go to the root page as well so of course now I have a I have a narrow here of course so let me just just let me just delete the M all that the data that I have clear so let's put rails seat use it but not use a bit question question at first and then how does destroy I think I can do this so question dot count zero okay like now it's cool all right as you can see let's step new questions some question I'll put back you can see here it's all created so it's created by the second user I can edit and destroy and I can add answers here I get deleted okay so all the app and it's complete now now we are able to implement can't can so let's do it let's just delete this question here okay now the way you do this the first thing is to of course install the jam so let's do it let's go to the chimp file install can cam clear I don't want to clear this one let's just stop this and put Brundle sorry install okay the next thing is just to create the ability model just type this command on your terminal in DC's just create one file is the ability Darby okay now I'm going to explain how this can can work so let's kill let's just close this use controllers we don't need let's go to our models and open the ability model okay you see just have one initialize method you put all your you check all your abilities in here I'm going to end the way to do this is very simple I'm going to put just an if-else if-else statement here and remember when I put the boolean feel there the reason why is this this user here and can is very smart so this is err here is DM the current user session it doesn't matter which which kind of alter ization library you are using in this case I'm using a device and you may ask oh but it shouldn't be current user there now this is always getting the current user session user okay so what I want to check here yes if the user the current user is admin I want him to be able to do some things but if it's not and I want to be I want him to be able to do some other things so the way you you check abilities is right there let me check if you want to stop I already have it open here if you come here defining abilities you you use the can method and the method see as you can see here is used to define permission and and requires two arguments the arguments are the first one is the the action you are you are you are going to to add the ability so create read a plate and destroy the second one is the model on which you are setting the permission form so let me show you how to do this what are the actions that we want all the users to have is to create questions and create answers so we we can start by those the way to do is since you type 10 now the action which is create comma model that's simple okay can create question let's do the same for answer okay it can create questions and can create answers but now let's do the other abilities that we are checking as well so for the questions and answers the abate and destroy that we want to be to only the grant access to the the owners of the questions and the answers and the way you do this is passing a block I'm going to show you how it can you know the the action name here so it's update question which is the model and now you pass a block like this very simple and here and now just type the that's like this is going to work like my condition here if you just type question dot user is equal to user so I will only be able to update a question if I'm the current if I'm the question user an owner I'm sorry the same thing for this try so let's copy and put this dry as well as since we are since we are here I think we can do the answer as well which is the same thing the destroy not the create because everyone can create so we just want to restrict the destroy reaction if up question but answer just okay we can destroy answer if a user of the answer is the current user that is logged in okay so this is how you check abilities the second step you have to do there are actually three steps this is the first one now the second step is to go into your actual view here and check these two links here other actions that we are permitting here we are actually granting permission where is the sorry the ability is here the update and the destroy for the question so we have to go to the views is the updating this will destroy the way you do this is very simple you just have just add the NIF statement here any type can with a question mark it's going to check the ability model if we can now you put the action and the current object that you are the two are checking which in this case is this question here each each question so the type question of course you put end here it's that simple in the same way you do this for the destroy stupid okay that's actually a try this on let's start the rails s okay let's go in here okay I'm already logged in a slap a new question my question is back okay as you can see I can edit and destroy but now let's log out and let's log in with the other user password you see it's working already no edit and destroy because dispo this question is not is not my own so I cannot I do not have this print those private privileges but I still can of course create an answer and I can delete we haven't checked that yet so the next step is to check the delete so because if you see if you see I can attack this answer here and if I do the same thing I now log in with the other user you see here I shouldn't be able to delete it this is not my answer I shouldn't be able to link so let's fix this way to do is the same thing as you done here as we did here so you're going to the partial and you had a condition right here so if can destroy answer sorry put end here okay let's try it you see already working just disappear I'm not the owner of this answer so I cannot let me let me type another another one here and you see I can delete this one because I'm I'm I'm the owner of this one let's see so it's it's all working so let me just show you how to to grant the admin how are how are we going to use the admin here I saved this for less because there's a special action that ability that ability sorry that can-can gives you which is called manage what this does is essentially it's this represents all the crud actions so what we actually do here is is saying that you can create you can redo can update and you can destroy and now which model actually if you put all this is a real admin so you can do all the crud actions in all the models so let's let's actually put this to effect let's let's call the first user user dot first as you can see here admin is Neal let me put okay is now let me put as true now you save okay it's working so as you can see I'm the number one let me create a new question here another question let's go back my question is another question as you can see both of them are created by the second user but if you remember I just grant the first user admin privileges so I should have ability to edit everything and as you can see I can edit destroy the question that I do not own I can delete every single answer as you can see here so all of this is it's working this is what cancan does it's very easy to implement as you can see just the last thing I want the last step we have to cover as I said we have three steps of the off of checking this these disabilities and the first one is defining the ability on the model the second is checking on the on the view now see this I want to do a test with you if you see okay this is the number three and I'm sure this is number four okay so it's question number three and number four I'm going to okay I'm going to make a new question from the user number one so just testing I'm lacking of imagination right now okay so this is from the user number one and let me just log out and sign in with user number two as you can see here I cannot add it or destroy this post here which is of course I'm I think it's number five okay so this post here I shouldn't I shouldn't be able to edit let's see this if I come here to the URL n type five I can still see it I'm seeing the show page and I can still edit so what's the point this doesn't work it just it's just delete stay on the links but I can still go through the URL so there's the three the the third step of this authorization the library is going to the controller to specific actions you want to authorize and then specifically you have to specify their if you do authorize or not let me give you an example of that let's good the questions here okay that's perfect the way you do this is you have to add a simple line here which is authorized update question in this case and this will check this simple line of code this will when you go to that action this will go to Kenya and this will ask and can am I able to see this or a read or an hour create this if not give me an error if yes okay let me proceed so you will see right now this this will raise an error because post number number five here I'm not able to do anything with it so let's try and go there number five and it here it is can't can't access denied you are not authorized to access this page very cool the last thing I want to show you how to manage this this error end link here and you have a very special I will say a rescue from method that you can use and I'm going to just copy and paste it I'm going to explain it which it's very self-explanatory okay let's open the application controller and on the n-type this line of code this bit of code here rescue from can can access denied so rescue from that era when when it gives you that Hera I want him to redirect not to the euro to URL but to the questions royal and give me this alert here which is the exception message and now I can come here this is just a flash I can use a king as a flash here flash in it was called alert here see the only thing I need to do it actually now let's try again skip the questions now let's try again and go to the number five I shouldn't be able to do it so if I go to number five see here you redirect it to the questions pants and give me this message here you are not authorized to access this page okay so as you can see it is very easy to implement and this is some I think it will be very helpful for you because you see we have this is a very very simple app but with all the functionality that you basically need you are basically our authorizing each user depending on on which status he has or abilities so this is it this is all there is and from camp camp and I encourage you of course to to read more about this because this is this have a lot more features to it but this is it this is the can-can notarization library for beaubien rails I hope even like I hope you enjoyed it and see you again in another step cast
Info
Channel: Codeplace
Views: 24,292
Rating: undefined out of 5
Keywords: codecast, ruby on rails, rails, stuk, stuk.io, authorization, user, users, cancan, gem, tutorial, how to
Id: 0ZCvLDZQ5HM
Channel Id: undefined
Length: 33min 9sec (1989 seconds)
Published: Tue Jan 20 2015
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.