-
Notifications
You must be signed in to change notification settings - Fork 257
User Authentication
Blacklight is bundled with the Authlogic ruby authentication library. By default, only a small handful of the extensive feature set is enabled.
Blacklight defines a very primitive access control mechanism, used primarily to redirect users to the login page as needed. It user the Rails #rescue_from exception handler.
To add basic authorization handling within a controller, it may be easiest to add a before_filter that implements the necessary authorization logic, e.g.:
class UsersController < ApplicationController
before_filter :verify_user, :only => :show # can't show without a logged in user
[...]
protected
def verify_user
flash[:notice] = "Please log in to view your profile." and raise Blacklight::Exceptions::AccessDenied unless current_user
end
endThe authorization method raises the Blacklight::Exceptions::AccessDenied exception. The ApplicationController uses rescue_from to handle this exception using the controller's #access_denied method. By default, #access_denied redirects the user to the login form, with the current request persisted as a request parameter:
class ApplicationController < ActionController::Base
rescue_from Blacklight::Exceptions::AccessDenied, :with => :access_denied
[...]
def access_denied
redirect_to root_url and flash.discard and return if request.referer =~ Regexp.new("#{request.request_uri}$")
redirect_to login_url(:referer => request.request_uri)
end
endThis behavior can be customized globally using by modifying the local ApplicationController, or within specific controllers by adding either a controller-specific rescue_from handler or #access_denied method.