Rails 3 Authentication and Authorization with Devise and CanCan (Part 1)

by iqbalfarabi on Feb 25, 2011 | 7 Comments
RubyOnRails_2

This article is also published in Iqbal’s blog here.


Recently, I was involved in a new project that uses Rails 3. That was my first Rails 3 project, I’ve always used Rails 2 before. Therefore, I tried to get accustomed to how Rails 3 works and how it differs from Rails 2. One thing that I really had to change back then was what authentication and authorization plugin to use. In my previous projects, I always used Authlogic and Lockdown. When I started this particular project, it seemed that both Authlogic and Lockdown was not Rails 3 ready (but I heard now both are Rails 3 ready). So I decided to give a try to different plugins. That’s how I found Devise and CanCan.

Most part of this writing is heavily duplicated from tutorials from Devise’s official github page, Asciicast’s episode on CanCan by Ryan Bates, and Tony Amoyal’s tutorial. I took most of the codes from these resources and then slightly modified it to meet my own needs. In this post, I try to share my experience working with both Devise and CanCan. I’ll explain it in a step-by-step style, maybe some steps are just too obvious for expert readers, please bear with it.

The Project

I wanted to have a user management feature. In the project, we had several roles with predefined sets of features that each role can access. The system has an administrator roles. Users can’t freely register to the system, the admins add them to the system and then assign a role to them. In the actual system I worked with, users passwords are generated by the application and then sent to the respective user’s mail. To keep this post simple, I’ll make administrator set the password directly.

1. Adding needed gems

Add these lines to your Gemfile:

[cc lang="ruby"]gem ‘devise’
gem ‘cancan’[/cc]

then install the gems with this command from your command line:

[cc lang="bash"]bundle install[/cc]

2. Adding Devise to your project

Run these commands from your command line:

[cc lang="bash"]
rails generate devise:install
rails generate devise User
[/cc]

3. Modifying user model and migration file

As said before, I needed the user management feature to be able to add, delete, and modify users through a CRUD mechanism. Therefore, there are several things we need to change in our user model and migration file. First, we delete the “registerable” attribute.  Second, we add a “username” attribute to the model and to the migration file. Here is how your user model should look like:

[cc lang="ruby"]
class User < ActiveRecord::Base # Include default devise modules. Others available are: # :token_authenticatable, :confirmable, :lockable and :timeoutable devise :database_authenticatable, :recoverable, :rememberable, :trackable, :validatable # Setup accessible (or protected) attributes for your model attr_accessible :email, :username, :password, :password_confirmation, :remember_me end [/cc] and your migration file for user should look like this: [cc lang="ruby"] class DeviseCreateUsers < ActiveRecord::Migration def self.up create_table(:users) do |t| t.database_authenticatable :null => false
t.recoverable
t.rememberable
t.trackable
t.string :username

# t.confirmable
# t.lockable :lock_strategy => :failed_attempts, :unlock_strategy => :both
# t.token_authenticatable

t.timestamps
end

add_index :users, :email, :unique => true
add_index :users, :reset_password_token, :unique => true
# add_index :users, :confirmation_token, :unique => true
# add_index :users, :unlock_token, :unique => true
end

def self.down
drop_table :users
end
end
[/cc]

4. Modifying the routes

When we installed Devise, it added it’s own routes to our routes.rb file. Since we want to have CRUD ability, we have to add another routes for our user resources. So this is what we do:

[cc lang="ruby"]
DeviseTest::Application.routes.draw do
devise_for :users
resources :users

# add another lines as you need…
end
[/cc]

5. Creating the controller and views

In this step, we can just use a generic controller and views template that usually created when you use rails generator to do a scaffolding. Anyway, this is how my users_controller.rb looks:

[cc lang="ruby"]
class UsersController < ApplicationController # GET /users # GET /users.xml def index @users = User.all respond_to do |format| format.html # index.html.erb format.xml { render :xml => @users }
end
end

# GET /users/1
# GET /users/1.xml
def show
@user = User.find(params[:id])

respond_to do |format|
format.html # show.html.erb
format.xml { render :xml => @user }
end
end

# GET /users/new
# GET /users/new.xml
def new
@user = User.new
@current_method = “new”

respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => @user }
end
end

# GET /users/1/edit
def edit
@user = User.find(params[:id])
end

# POST /users
# POST /users.xml
def create
@user = User.new(params[:user])

respond_to do |format|
if @user.save
format.html { redirect_to(@user, :notice => ‘User was successfully created.’) }
format.xml { render :xml => @user, :status => :created, :location => @user }
else
format.html { render :action => “new” }
format.xml { render :xml => @user.errors, :status => :unprocessable_entity }
end
end
end

# PUT /users/1
# PUT /users/1.xml
def update
@user = User.find(params[:id])

respond_to do |format|
if @user.update_attributes(params[:user])
format.html { redirect_to(@user, :notice => ‘User was successfully updated.’) }
format.xml { head :ok }
else
format.html { render :action => “edit” }
format.xml { render :xml => @user.errors, :status => :unprocessable_entity }
end
end
end

# DELETE /users/1
# DELETE /users/1.xml
def destroy
@user = User.find(params[:id])
@user.destroy

respond_to do |format|
format.html { redirect_to(users_url) }
format.xml { head :ok }
end
end
end
[/cc]

Again, although this is a generated view, I’ll include it here anyway. Here’s our _form.html.erb:

[cc lang="ruby"]
<%= form_for(@user) do |f| %>
<% if @user.errors.any? %>

<%= pluralize(@user.errors.count, "error") %> prohibited this user from being saved:

    <% @user.errors.full_messages.each do |msg| %>

  • <%= msg %>
  • <% end %>

<% end %>

<%= f.label :email %>
<%= f.text_field :email %>
<%= f.label :username %>
<%= f.text_field :username %>

<% if @current_method == "new" %>

<%= f.label :password %>
<%= f.password_field :password %>
<%= f.label :password_confirmation %>
<%= f.password_field :password_confirmation %>

<% end %>

<%= f.submit %>

<% end %>
[/cc]

Our edit.html.erb:
[cc lang="ruby"]

Editing user

<%= render 'form' %>

<%= link_to 'Show', @user %> |
<%= link_to 'Back', users_path %>
[/cc]

Our index.html.erb:
[cc lang="ruby"]

Listing users

<% @users.each do |user| %>

<% end %>

Email Username
<%= user.email %> <%= user.username %> <%= link_to 'Show', user %> <%= link_to 'Edit', edit_user_path(user) %> <%= link_to 'Destroy', user, :confirm => ‘Are you sure?’, :method => :delete %>

<%= link_to 'New user', new_user_path %>
[/cc]

Our new.html.erb:
[cc lang="ruby"]

New user

<%= render 'form' %>

<%= link_to 'Back', users_path %>
[/cc]

And the last… our show.html.erb:
[cc lang="ruby"]

<%= notice %>

Email:
<%= @user.email %>

Username:
<%= @user.username %>

<%= link_to 'Edit', edit_user_path(@user) %> |
<%= link_to 'Back', users_path %>
[/cc]

6. Using the Devise

In order Devise to really work, we have to put this line in every controller that can only be accessed by authenticated users.

[cc lang="ruby"]
before_filter :authenticate_user!
[/cc]

Next Step

Well, it’s a long post already… . I guess it’s better for us to take a break. So, this is the first part. We have not used CanCan yet, but now we have a working user management feature as we wanted it in the beginning. Hope this post helps you with your own project using Devise. I’ll write the second part where we will use CanCan as soon as possible.

Back to top

7 Responses to “Rails 3 Authentication and Authorization with Devise and CanCan (Part 1)”

  1. [...] – This is the second part of two posts tutorial on how to use Devise and CanCan with Rails 3. You can find the first part of this tutorial at the original blog here or at this site here. [...]

  2. unexpected kENSURE problems says:

    Your code give me this problem with the _form.html.erb file
    “compile error
    c:/ruby/bin/translog2/app/views/users/_form.html.erb:1: syntax error, unexpected ‘)’
    …cat(( form_for(@user) do |f| ).to_s); @output_buffer.concat …
    ^
    c:/ruby/bin/translog2/app/views/users/_form.html.erb:30: syntax error, unexpected kENSURE, expecting ‘)’
    c:/ruby/bin/translog2/app/views/users/_form.html.erb:32: syntax error, unexpected kEND, expecting ‘)’ ”

    i have a headache and am out to lunch please help out. :-)

  3. admin says:

    Are you sure you have copied the whole _form.html.erb code above? Because I’ve checked it just now with that code and it’s working just fine. You probably leave out some lines at the bottom of the code.

    You can post again what you copied so I can double check it. :)

  4. dennis says:

    I do not quite understand step 5: Is it recommended to scaffold “user” at this point? isn’t this in conflict with the “rails generate devise user” at the top? Could you maybe be more verbose here? Thanks a lot

    • ankit says:

      no you do not need to create using scaffold …just make new controller and views and just copy and paste code…

  5. ankit says:

    it is not showing me roles on my home page…

  6. Fred says:

    What I don’t understand from the DeviseCreateUsers migration:
    at the end of the migration there is:
    add_index :users, :email …
    add_index :users, :reset_password_token …
    But, within the migration there is no reference to either of the fields ‘email’ or ‘reset_password_token’, where do these come from? Is this a case of hidden code in the devise migration? If so, how does a developer learn what is ‘really’ happening when they read code like this?

Leave a Reply