Home/ Questions/Q 767975
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T18:06:33+00:00

Within Authlogic, is there a way that I can add conditions to the authentication

  • 0

Within Authlogic, is there a way that I can add conditions to the authentication method? I know by using the find_by_login_method I can specify another method to use, but when I use this I need to pass another parameter since the find_by_login_method method only passes the parameter that is deemed the ‘login_field’.

What I need to do is check something that is an association of the authentic model.. Here is the method I want to use

  # make sure that the user has access to the subdomain that they are 
  # attempting to login to, subdomains are company names
  def self.find_by_email_and_company(email, company)
    user = User.find_by_email(email)

    companies = []
    user.brands.each do |b|
      companies << b.company.id
    end

    user && companies.include?(company)
  end

But this fails due to the fact that only one parameter is sent to the find_by_email_and_company method.

The company is actually the subdomain, so in order to get it here I am just placing it in a hidden field in the form (only way I could think to get it to the model)

Is there a method I can override somehow..?

Using the answer below I came up with the following that worked:

User Model (User.rb)

  def self.find_by_email_within_company(email)
    # find the user
    user = self.find_by_email(email)

    # no need to continue if the email address is invalid
    return false if user.nil?

    # collect the subdomains the provided user has access to
    company_subdomains = user.brands.map(&:company).map(&:subdomain)

    # verify that the user has access to the current subdomain
    company_subdomains.include?(Thread.current[:current_subdomain]) && user
  end

Application Controller

  before_filter :set_subdomain

  private

    def set_subdomain
      # helper that retreives the current subdomain 
      get_company

      Thread.current[:current_subdomain] = @company.subdomain
    end

User Session Model (UserSession.rb)

find_by_login_method :find_by_email_within_company

I have read a few things about using Thread.current, and conflicting namespaces.. This is a great solution that worked for me but would love to hear any other suggestions before the bounty expires, otherwise, +100 to Jens Fahnenbruck 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Authlogic provides API for dealing with sub domain based authentication. 

    class User < ActiveRecord::Base
  has_many :brands
  has_many :companies, :through => :brands
  acts_as_authentic
end

class Brand < ActiveRecord::Base
  belongs_to :user
  belongs_to :company
end

class Company < ActiveRecord::Base
  has_many :brands
  has_many :users, :through => :brands
  authenticates_many :user_sessions, :scope_cookies => true
end

    Session controller:

    class UserSessionsController < ApplicationController      

  def create
    @company = Company.find(params[:user_session][:company])
    @user_session = @company.user_sessions.new(params[:user_session])
    if @user_session.save 
    else
    end    
  end
end

    On the other hand

    Here is a way to solve the problem using your current approach(I would use the first approach):

    Set custom data – to the key email of the hash used to create the UserSession object.
    AuthLogic will pass this value to find_by_login method. In the find_by_login method access the needed values.

    Assumption:
    The sub domain id is set in a field called company in the form.

    class UserSessionsController < ApplicationController      

  def create
    attrs = params[:user_session].dup #make a copy
    attrs[:email] = params[:user_session] # set custom data to :email key

    @user_session = UserSession.new(attrs)
    if @user_session.save 
    else
    end    
  end
end

    Model code

    Your code for finding the user with the given email and subdomain can be simplified and optimized as follows:

    class User < ActiveRecord::Base
  def find_by_email params={}
   # If invoked in the normal fashion then ..
   return User.first(:conditions => {:email => params}) unless params.is_a?(Hash)

   User.first(:joins => [:brands => :company}],
     :conditions => ["users.email = ? AND companies.id = ?", 
                      params[:email], params[:company]])
  end
end

    Edit 1

    Once the user is authenticated, system should provide access to authorized data.

    If you maintain data for all the domains in the same table, then you have to scope the data by subdomain and authenticated user.
    Lets say you have Post model with company_id and user_id columns. When a user logs in you want to show user’s posts for the sub domain. This is one way to scope user’s data for the subdomain:

    Posts.find_by_company_id_and_user_id(current_company, current_user)

Posts.for_company_and_user(current_company, current_user) # named scope

    If you do not scope the data, you will have potential security holes in your system.

    • 0