Sep
24
Scoping UserSession with Authlogic
Posted by
James Kong in
Uncategorized |
9 Comments »
I like using subdomains to create a more personalised web application experience for the user. Having their own URL to access the application allows them to feel a sense of ownership. There are many ways you can do this(click here for one) but I specifically want to look at scoping your user sessions so that users cannot login to other user’s accounts. Doing this with AuthLogic is surprisingly easy.
Assuming you subdomain names come from an Account model, add this line of code.
class Account < ActiveRecord::Base authenticates_many :user_sessions end
In your UserSessionController you can now scope your user sessions to the account.
class UserSessionsController < ApplicationController
def create
@user_session = @current_account.user_sessions.build(params[:user_session])
if @user_session.save
flash[:notice] = "Login successful!"
redirect_back_or_default dashboard_path
else
render :action => :new
end
end
end
9 Responses
Thanks for taking the time to clarify this.
I’m still a little confused about what you should use to find the current session though? In the Authlogic docs it seems that you’re meant to do a with_scope find, like this (in ApplicationController to find current_session):
UserSession.with_scope(:find_options => {:conditions => “account_id = #{current_account.id}”}, :id => “account_#{current_account.id}”) do
UserSession.find
end
But when I try and implement this I don’t seem to be able to login. Or rather, the login validates but then I’m sent straight back to the login.
Do we even need to use the above or am I getting confused with something?!
Refer to: http://rdoc.info/rdoc/binarylogic/authlogic/blob/f2e95179acf87f11b44c7a58e6083cf84cddff27/Authlogic/Session/Scopes/ClassMethods.html
Sorry I’m a little unclear on your question.
If you use the above method, you do not need to use a with_scope on UserSession.
By placing ‘authenticates_many :user_sessions’ in the Account model, Authlogic creates an association between the Account and the UserSession and some other magic behind the scenes/.
So now you can call ‘@current_account.user_sessions.build’ to scope it to the account.
I assume if you want to call ‘UserSession.build’ and have it automatically scope to account, then you would need with_scope, but are there any benefits of not going through the account/usersession relationship?
[...] Scoping UserSession wіtһ Authlogic | Sentia | Sydney IT Consultancy, Software Development,… [...]
I’m trying this (in a Rails 3 app) and it works … except it doesn’t seem to scope the session. I can login with any user no matter what subdomain is.
Any ideas?
Thanks
Hmm what does your code look like. Paste your method here so l can have a look please
THANK YOU!!! I have been banging my head against my desk trying to get this figured out!
How you code def current_account … end?
Where do you set thi variable @current_account?
I don’t use subdomains!
Can you please help me?
def current_account
return @current_account = current_user.account
end
Put that in application_controller.rb and you can then call it via current_account
Ok, and current_user? Because you have to scope the UserSession with the scope account_id? Assume we use session[:account_id] to store the account_id and not a subdomain. How can i code the current_user method?