I’ve been long considering a way to put some restrictions on the Target Cancer site to keep casual onlookers of the Home page from mucking about and stepping on things Backstage.
For those who aren’t already in the know, the Target Cancer site is an experimental site I’m making for a friend who is doing a benefit concert with a bunch of musician friends from the Pharma industry. I wanted to create a site where they could advertise the event, provide directions, performer bios and so on, and then also have a back-stage area where the performers could collaborate via a Forum page and an editable list of Songs with lyrics, chords and links to youtube videos (most if not all of the songs are covers in this case).
I was hesitant to implement a full-blown user authentication system on the site, however, because high security isn’t the issue here, and as exciting as it might be to implement, I don’t want all sorts of user registration rigamarole getting in the way of helping these busy people to get together (virtually speaking) and collaborate on their collective goal of learning a bunch of songs, discussing them and keeping track of who’s playing which song.
So with a bit of searching I found my first clue. Someone pointed the way to a Railscast video which showed (almost) exactly what I was looking for:
http_basic_authenticate_with :name => "frodo", :password => "thering"
Putting the line above in the controller who’s views you wish to hide from casual view works great, and there are way you can hide the username and password from the code as well if you wish, such as putting it in an external config file.
But I had a bunch of controllers and views I wanted to hide, and putting that line at the top of each controller would mean (I think, I didn’t actually try it to be honest) back-stage users having to enter a password several times as they traversed the different controllers for Songs, Posts, Users and so on.
So I searched a bit more and found exactly what I was looking for. Here’s how it’s done.
First, create a new ‘Admin’ controller. Call it what you like, but ‘Admin’ is as good a name as any!
rails g controller Admin
Now edit that controller to look like the following, putting in your own values for the username and password:
class AdminController < ApplicationController before_filter :authenticate def authenticate authenticate_or_request_with_http_basic do |username, password| username == 'admin' && password == 'password' end end end
Great. But what about authenticating all the other controllers? Here’s how:
For each controller you want protected change the top line to inherit from AdminController instead of ApplicationController.
For example:
class PostsController < AdminController layout 'backstage' . . .
It’s that simple!
AdminController already inherits from ApplicationController for them, so all they’re getting is a little extra, specifically the before_filter
and the authenticate
method. By inheriting this code, the authentication applies to them all without the user having to manually type a log in for each one.
You can go backstage at the Target Cancer site if you wish with the following login:
performer / pass4backstage
Just try not to step on anything! (If you do, just leave some beer in the fridge by the pool table and all is forgiven.)
;)