views:

59

answers:

5

I can't seem to figure out what I am doing wrong here. I have implemented the Super Simple Authentication from Ryan Bates tutorial and while the login portion is functioning correctly, I can't get an error message and redirect to happen correctly for a bad login.

Ryan Bates admits in his comments he left this out but can't seem to implement his recommendation. Basically what is happening is that when someone logs in correctly it works. When a bad password is entered it does the same redirect and flashes 'successfully logged in' thought they are not. The admin links do not show (which is correct and are the links protected by the <% if admin? %>) but I need it to say 'failed login' and redirect to login path. Here is my code:

SessionsController

class SessionsController < ApplicationController
   def create
      if 
      session[:password] = params[:password]
      flash[:notice] = 'Successfully logged in'
      redirect_to posts_path
    else
      flash[:notice] = "whoops"
      redirect_to login_path
    end
  end

    def destroy
      reset_session
      flash[:notice] = 'Successfully logged out'
      redirect_to posts_path
    end
  end

ApplicationController

class ApplicationController < ActionController::Base

  helper_method :admin?

  protected

  def authorize
    unless admin?
      flash[:error] = "unauthorized request"
      redirect_to posts_path
      false
    end
  end

  def admin?
    session[:password] == "123456"
  end

  helper :all # include all helpers, all the time
  protect_from_forgery # See ActionController::RequestForgeryProtection for details
  # 
end
A: 
    if  #YOU MISSING SOMETHING HERE WHICH Returns TRUE IF USER IS VALID
      session[:password] = session[:password]
      flash[:notice] = 'Successfully logged in'
      redirect_to posts_path
    else
      flash[:notice] = "invalid login"  #CHange if messaage for invalid login
      redirect_to login_path
    end

it must be

    if   session[:password] == params[:password]
Salil
Yea, I had a typo there. Still not working even with that change.
bgadoci
A: 

You never have a fail condition due to:

if session[:password] = session[:password]

This will always be true. You probably want something like:

if session[:password] == 'canihazpasswrd' then
  do_something_here
Nazar
I think you have a typo here. What's the point of setting a password in the session if it's already present?
John Topley
So I have. oops!
Nazar
+2  A: 
John Topley
Hi John, that doesn't seem to be working either. Still redirects and flashes 'successfully logged in' even though they are not.
bgadoci
Thanks for fixing my typo in the title as well.
bgadoci
See my edit above.
John Topley
Perfect, that worked great. I know this isn't a great way but want to make sure I understand how this all works before moving on. I will likely by install gem clearance next. Thanks for the help.
bgadoci
I would suggest authlogic :)
Shripad K
No problem, I'm glad it worked. This is approach is fine for simple stuff, but you probably wouldn't want to build an online banking application using it! ;-)
John Topley
A: 

Edit: Refer @john's answer. :)

Try this:

  def create
    if session[:password] == '123456'
      flash[:notice] = 'Succesfully logged in'
      redirect_to home_path
     else
      flash[:notice] = "Incorrect Password!"
      redirect_to login_path
    end
  end
Shripad K
The `admin?` method should just return whether the user is an administrator or not by comparing the password stored in the session against the known correct password. You can't use the assignment operator within an `if` statement as your `create` method does.
John Topley
Sorry that was a typo. I copy pasted from the question! :P
Shripad K
Yes you are right about the abmin? method part.
Shripad K
A: 

The thing is that the tutorial you used does no user's authentication. It only checks if the login belongs to an admin, so some content will be showed.

This way you'll never have wrong login/password, just admin/non-admin.

j.