導軌密碼驗證

Question

首先，我非常非常新的導軌。所以忍受我的任何錯誤。仍在努力尋找可靠信息的最佳來源。很多事情都有點過時了。

我在跟蹤Rails tutorial並使用密碼驗證。在我的應用程序中，我有通過它們之間的關係的用戶和具有has_many的部門。這種關係被稱爲管理者關係。我的用戶驗證和授權工作。管理和取消管理按鈕用於創建經理關係。我還使用安全密碼設置了每個部門。我希望在創建經理關係之前要求用戶輸入部門的密碼。我在管理按鈕旁邊添加了一個密碼字段。

型號：

department.rb 
class Department < ActiveRecord::Base 
attr_accessible :department_name, :password, :password_confirmation 
has_many :manager_relationships, dependent: :destroy 
has_many :users, through: :manager_relationships 
has_secure_password 

manager_relationship.rb

class ManagerRelationship < ActiveRecord::Base 
attr_accessible :department_id 

belongs_to :user 
belongs_to :department 

validates :user_id, presence: true 
validates :department_id, presence: true 
end 

user.rb

class User < ActiveRecord::Base 
attr_accessible :name, :email, :password, :password_confirmation 
has_many :manager_relationships, dependent: :destroy 
has_many :departments, through: :manager_relationships 
has_secure_password 

查看 部門/ show.html.erb

... 
<div class="span8"> 
    <%= render 'manage_form' if signed_in? %> 
</div> 
</div> 

departmnet/_manage.html.erb

<%= form_for(current_user.manager_relationships.build(department_id: @department.id), remote: true) do |f| %> 
<div><%= f.hidden_field :bdepartment_id %></div> 
<%= f.submit "Manage Department", class: "btn btn-large btn-primary" %> 
<% end %> 

控制器：ManagerRelationshipsController

class ManagerRelationshipsController < ApplicationController 
before_filter :signed_in_user 

def create 
    @department = Department.find(params[:manager_relationship][:department_id]) 

    current_user.manage!(@department) 
    respond_to do |format| 
     format.html { redirect_to @department } 
     format.js 
    end 
end 

上述代碼工作。它成功地創造並摧毀了管理者關係。但是沒有認證。任何用戶都可以管理任何部門。我想要求管理用戶輸入部門密碼來創建manager_relationship

這是我已經嘗試過。

departmnet/_manage.html.erb

<%= form_for(current_user.manager_relationships.build(department_id: @department.id), 
remote: true) do |f| %> 
##################This Was Added ############## 
<div> 
<%= f.label :password %> 
<%= f.password_field :password %> 
</div> 
################################################ 

<div><%= f.hidden_field :department_id %></div> 
<%= f.submit "Manage Department", class: "btn btn-large btn-primary" %> 
<% end %> 

ManagerRelationshipsController

class ManagerRelationshipsController < ApplicationController 
before_filter :signed_in_user 
def create 
    @department = Department.find(params[:manager_relationship][:department_id]) 
      ########################The line below was Added ########################## 
    if @department.authenticate(params[:manager_relationship][:password]) 
      ########################################################################### 
     current_user.manage!(@department) 
    respond_to do |format| 
     format.html { redirect_to @department } 
     format.js 
    end 
     ####################I added this################## 
    else 
     flash.now[:error] = 'Invalid password' 
     render 'new' 
    end 
     ############################################################ 

Answer 1

我添加的代碼是正確的。問題出在我嘗試在無效密碼後顯示的閃光消息。

if authenticate 
else 
flash.now[:error] = 'Invalid password' 
render 'new' <<I removed this line.>> 
end 

我的代碼試圖呈現manager_relationships/new，但它不在那裏。我刪除這個按鈕後，按計劃工作。但閃光消息不會顯示出來。我在另一個問題上發佈了這個問題，因爲這是另一個話題。

Answer 2

理想的情況下，因爲用戶登錄不需要密碼，用戶如何來您的網頁。 可能是你想要保護設置/取消數據的另一個層面，你可以使用

@user = User.where(:email=>...).first 
# Authenticating User sonce your email id is in session 
# You don't need to store password on manager_relationship 
# create attr_accessor 
@user.authenticate(params[:manager_relationship][:password]) 
# if user is authenticate then you can add/edit your data