On Sun, Jan 18, 2009 at 12:45 AM, Ryan Waldron <r...@erebor.com> wrote:
>
> I've run into a strange problem with HTTP Basic authentication. I've
> observed this behavior on my dev box (connecting directly to mongrel)
> and on an Apache+Passenger setup on my deployment machine.
>
> I'm doing the standard thing according to the semi-holy trinity of
> http_authentication.rb on github, Railscast #82, and
> every-blog-tutorial-on-the-net: in my controller I have:
>
> class CongsController < ApplicationController
> before_filter :authenticate, :only => [:edit, :delete, :update]
>
> ...
>
> private
>
> def authenticate
> authenticate_or_request_with_http_basic do |username, password|
> username == 'fred' && password == 'sekr3t'
> end
> end
> end
>
> Sure enough, attempts to edit, update, or delete bring up the HTTP
> basic dialog in the browser, and I have to enter a name and password.
> If I enter them correctly, it passes me through properly.
>
> The problem it also lets me through no matter WHAT I enter, right or
> wrong.
>
> This is what I see this in the Rails log file:
>
> Processing CongsController#edit (for 127.0.0.1 at 2009-01-17 23:25:27)
> [GET]
> Parameters: {"id"=>"1276"}
> SQL (0.1ms) SET SQL_AUTO_IS_NULL=0
> Filter chain halted as [:authenticate] rendered_or_redirected.
> Completed in 0ms (View: 0, DB: 0) | 401 Unauthorized
> [http://localhost/congs/1276/edit]
>
> Processing CongsController#edit (for 127.0.0.1 at 2009-01-17 23:25:30)
> [GET]
> Parameters: {"id"=>"1276"}
> SQL (0.1ms) SET SQL_AUTO_IS_NULL=0
> Cong Columns (4.6ms) SHOW FIELDS FROM `congs`
> Cong Load (15.0ms) SELECT * FROM `congs` WHERE (`congs`.`id` =
> 1276)
> Rendering congs/edit
> Completed in 36ms (View: 7, DB: 20) | 200 OK
> [http://localhost/congs/1276/edit]
>
> I can make it simpler yet: I can use this #authenticate method, and
> it still lets me through:
>
> def authenticate
> return false;
> end
>
> My project's script/about says this:
>
> Mac:~/src/rails/coc(master)> script/about
> About your application's environment
> Ruby version 1.8.6 (i686-darwin8.8.2)
> RubyGems version 1.3.1
> Rails version 2.2.2
> Active Record version 2.2.2
> Action Pack version 2.2.2
> Active Resource version 2.2.2
> Action Mailer version 2.2.2
> Active Support version 2.2.2
> Application root /Users/rew/src/rails/coc
> Environment development
> Database adapter mysql
> Database schema version 20090114205156
>
> This is a VERY simple app; no tricky stuff going on, just a basic CRUD
> thing with a couple of models. I have no idea what is going on here.
>
> Anybody know what I'm doing wrong here? Ideas or suggestions?
>
> According to the documentation (see e.g.
http://www.railsbrain.com/api/rails-2.2.2/doc/index.html?a=C00000133&name=ClassMethods)
if a #before_filter renders or redirects, the second half of an around
filter, and any after filters won't run. I believe that you need to
redirect your unauthenticated user to some other page (such as your login
page) if the authentication fails.
I thought I had read somewhere (perhaps in a book someplace) that if a
filter returns false, it simply skips the rest of the processing in the
filter chain -- but I don't see that in the documentation for filters.
Perhaps it is just well known lore. (Or, perhaps, it's something I just
made up ;-). Regardless, if you think about what's going in the
#before_filter chain, it's just a bunch of processing that get's called
prior to calling your action method. If you want that processing to
redirect the user somewhere else, then you need to explicitly put that in
your processing. If you don't put a specific redirect in your processing,
how would Rails know if and to where it should redirect?
In my (one and only) application, I have
before_filter :login_required
#login_required is provided by the authenticated system plugin and looks
like
def login_required
authorized? || access_denied
end
My particular version of #access_denied looks like:
def access_denied
respond_to do |format|
format.html do
flash[:notice] = "You must log in first"
store_location
redirect_to root_path
end
format.any do
request_http_basic_authentication 'Web Password'
end
end
end
hope this helps a little...
--wpd
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
