My 'requirements' were login with admin account. Anyone can read posts, read comments, and add comments. Admins can add, update, and delete posts. Admins can also remove comments. For usability, the links for these actions should be hidden unless the user is an admin. Of course the urls and actions should be locked down as well.
I decided to write the authentication part from scratch following railscasts Authentication in Rails 3.1 and Authentication from Scratch. For my purposes, I just need one admin account. I don't need to sign up users or any other ui for managing users. I figure, I can create the admin account from the command line, and that'd be about it. So, I skipped the parts from railscasts above that created views for User. I did create a login page of course (no logout).
Here are the authentication commands and code:
User
rails g model user email:string password_digest:string class CreateUsers < ActiveRecord::Migration def change create_table :users do |t| t.string :email t.string :password_digest t.timestamps end end end class User < ActiveRecord::Base has_secure_password endSessions
rails g controller sessions new class SessionsController < ApplicationController def new end def create user = User.find_by_email(params[:email]) if user && user.authenticate(params[:password]) session[:user_id] = user.id redirect_to posts_path else flash.now.alert = "Invalid username or password" render "new" end end end
views/sessions/new.html.erb <h1>Login</h1> <%= form_tag sessions_path do %> <div class="field"> <%= label_tag "Username" %> <%= text_field_tag :email, params[:email] %> </div> <div class="field"> <%= label_tag :password %> <%= password_field_tag :password %> </div> <div class="actions"> <%= submit_tag "Login" %> </div> <% end %>
BlankRailsMysql::Application.routes.draw do resources :sessions resources :posts do resources :comments end get "login" => "sessions#new", :as => "login" endAt this point, a user (if one existed) could go to localhost:3000/login and it would authenticate them and save their user id to the session. By the way, here's the command to add a user:
rails c User.create(:email => "admin", :password => "password", :password_confirmation => "password")
If you need to run this in your heroku environment, just do:
heroku run rails c --app your_app