User authentication on redmine plugin
Added by Miguel Akira over 13 years ago
Hello.
I'm somewhat new to rails and to redmine. I made a simple plugin for redmine, where it generates reports based on the user's ticket issues. Only the admin should be able to generate reports for every user, and regular users should be able to generate reports only for their own issues.
Since this plugin is just a test, right now I'm doing this on my index view:
[code]
<% if @user.id == 1 > <!-- the admin id =P -->
<= collection_select (:user, :id, u d, :id, :lastname) > <br /> <br />
< else >
<p><label> You are the user: </label> <b><= @user.name.capitalize > </b></p>
< end %>
[/code]
Of course, it has no security at all. How should I do this in a secure way?
Thanks!
Replies (3)
RE: User authentication on redmine plugin - Added by Felix Schäfer over 13 years ago
User.current
returns the currently logged in user, User.current.admin?
(or @any_user.admin?
for that matter…) will tell you if the user is an admin.
RE: User authentication on redmine plugin - Added by Miguel Akira over 13 years ago
Thanks for the answer!
But is this solution safe? Or at least, safe enough, considering the Redmine is being used only internally?
Thanks!
RE: User authentication on redmine plugin - Added by Felix Schäfer over 13 years ago
Miguel Akira wrote:
But is this solution safe? Or at least, safe enough, considering the Redmine is being used only internally?
I'm not sure what you mean. User.current
always is the current user in the current request, either the user object if the user is logged in, or AnonymousUser
if the user isn't logged in. All user objects also have the admin?
method that returns whether the user is marked as admin in Redmine or not. That's also how Redmine identifies users internally.
If those methods don't work as expected, they are bugs and possibly security risks, yes, but then you wouldn't have to worry about only your plugin but the whole Redmine.