Finally, two buttons let the handler either
remove or mark the order as handled.
Adding Some Authentication
You now have almost all functionality finished for the administration part of the Shoplet
application. There??™s just a small piece missing. At the moment, anybody who knew the address
could do anything they wanted with the shop, and because the addresses are easy to guess,
CHAPTER 4 ?– STORE ADMINISTRATION 67
this is no way to leave it. You??™ve already prepared for adding authentication by creating the
User model, and the scaffolds for handling these. Now you need to secure your actions. When
you try to go to the admin parts of the application, you should be redirected to a login page,
submit your username and password, and if it is correct you should be redirected back to the
page you tried to access first. You??™ll accomplish this through controller filters.
Rails provides filters to let you perform some task before or after an action runs. This
has profound implications and makes many tasks easy, not just authentication and security.
The first step you??™ll take is to create a new controller. This controller will be the base for
all your protected controllers, and won??™t have any actions itself. Open up the file app/
controllers/admin_controller.rb and write this into it:
class AdminController < ApplicationController
before_filter :authentication
private
def authentication
unless session[:user_id] && User.find_by_id(session[:user_id])
flash[:notice] = "Please log in"
redirect_to(:controller => 'auth', :action =>
'login', :into => url_for(params))
else
@loggedin = true
end
end
end
You first declare that the method called authentication should be called as a before_filter,
which means it should execute before an action.
Pages:
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144