1 00:00:00,000 --> 00:00:05,000 [Master Class] [Designer and Developer Workflow] [Assigning Users to Jobs] 2 00:00:05,000 --> 00:00:08,000 [Jim Hoskins] Now we have some authorization in place that 3 00:00:08,000 --> 00:00:11,000 allows us to protect certain pages from 4 00:00:11,000 --> 00:00:13,000 people who are not logged in. 5 00:00:13,000 --> 00:00:16,000 This edit page here we're unable to get to, 6 00:00:16,000 --> 00:00:19,000 and there's an error message displaying for us 7 00:00:19,000 --> 00:00:22,000 when we try to access it. 8 00:00:22,000 --> 00:00:25,000 If I were to click on "New Job," again, we must be logged in. 9 00:00:25,000 --> 00:00:29,000 I'm going to sign in, and now I should be able to click "New Job," 10 00:00:29,000 --> 00:00:32,000 and we can see the New Job form. 11 00:00:32,000 --> 00:00:36,000 Now, right now, only 1 of our jobs has a 12 00:00:36,000 --> 00:00:39,000 user associated with it, and that's because we put a lot of this data in 13 00:00:39,000 --> 00:00:45,000 before we really had the idea of a user being associated with a job. 14 00:00:45,000 --> 00:00:48,000 In our actual application, we want all of our jobs to be 15 00:00:48,000 --> 00:00:50,000 associated with users. 16 00:00:50,000 --> 00:00:52,000 What we need to do is either delete 17 00:00:52,000 --> 00:00:56,000 all these invalid jobs or update them so they have a user. 18 00:00:56,000 --> 00:00:58,000 What I'm going to do is go in the console and 19 00:00:58,000 --> 00:01:02,000 update it so all the jobs have a user associated with them. 20 00:01:02,000 --> 00:01:05,000 So, to do this, I'm going to open up the console, 21 00:01:05,000 --> 00:01:09,000 and we'll just say all of the jobs have the same user. 22 00:01:09,000 --> 00:01:12,000 I'll open up our rails console here. 23 00:01:12,000 --> 00:01:15,000 And let me just check for a user ID. 24 00:01:15,000 --> 00:01:18,000 I'm going to grab the first user 25 00:01:18,000 --> 00:01:21,000 and grab its ID. 26 00:01:21,000 --> 00:01:23,000 And the user ID is 1, 27 00:01:23,000 --> 00:01:27,000 so now what we can do is update all the jobs so their user ID is 1. 28 00:01:27,000 --> 00:01:32,000 And to do that, we'll just do "Job.update_all," 29 00:01:32,000 --> 00:01:39,000 and we'll say "user_id" is 1. 30 00:01:39,000 --> 00:01:43,000 If we're going to take a look at, say, Job.last.id, 31 00:01:43,000 --> 00:01:47,000 or rather, Job.last.user_id, 32 00:01:47,000 --> 00:01:49,000 we can see that the user ID is 1. 33 00:01:49,000 --> 00:01:52,000 Let's take a look in the web browser 34 00:01:52,000 --> 00:01:55,000 and see if we refresh, all of our jobs now should be 35 00:01:55,000 --> 00:01:57,000 associated with my user. 36 00:01:57,000 --> 00:01:59,000 All right, that looks good. 37 00:01:59,000 --> 00:02:01,000 What I'm going to do is create another user so we can just 38 00:02:01,000 --> 00:02:04,000 test this out a little bit, so I'm going to sign out, 39 00:02:04,000 --> 00:02:09,000 and I'm going to register as Nick. 40 00:02:09,000 --> 00:02:11,000 We have a new user. 41 00:02:11,000 --> 00:02:14,000 We are signed in. 42 00:02:14,000 --> 00:02:17,000 And we're still having a little bit of navigation problems here, but we'll fix that soon. 43 00:02:17,000 --> 00:02:20,000 But we can see we're now logged in as Nick. 44 00:02:20,000 --> 00:02:24,000 We want to make sure the current user is associated with that new job, 45 00:02:24,000 --> 00:02:26,000 so let's check out our jobs controller. 46 00:02:26,000 --> 00:02:29,000 And there are a couple of different ways we could go about this. 47 00:02:29,000 --> 00:02:32,000 We could try to add it to the parameters in the form 48 00:02:32,000 --> 00:02:35,000 that they're going to submit from new, 49 00:02:35,000 --> 00:02:37,000 but we don't really need to worry about that. 50 00:02:37,000 --> 00:02:39,000 We're going to let them submit without information, and on the step 51 00:02:39,000 --> 00:02:43,000 where we actually create it, that point is when we can be sure 52 00:02:43,000 --> 00:02:46,000 who is actually making the request, and we can make sure we put 53 00:02:46,000 --> 00:02:50,000 the correct user in the new job. 54 00:02:50,000 --> 00:02:52,000 So, a very, very simple way we can do this 55 00:02:52,000 --> 00:03:02,000 is to simply say "job.user = current_user." 56 00:03:02,000 --> 00:03:06,000 And remember that current user returns the user instance 57 00:03:06,000 --> 00:03:08,000 of the person who's logged in, and in order for a create 58 00:03:08,000 --> 00:03:11,000 to even be running, current user has to be true, 59 00:03:11,000 --> 00:03:14,000 otherwise the before filter that we wrote would have rejected it 60 00:03:14,000 --> 00:03:16,000 and not allowed this to execute. 61 00:03:16,000 --> 00:03:18,000 Now, we do it at this stage here just to make sure 62 00:03:18,000 --> 00:03:22,000 that they're not passing in a user ID as part of the params 63 00:03:22,000 --> 00:03:26,000 trying to override anything or manually overriding the user 64 00:03:26,000 --> 00:03:30,000 after any untrusted input has been put into Job.new. 65 00:03:30,000 --> 00:03:33,000 There are a couple other security considerations that we'll explore 66 00:03:33,000 --> 00:03:36,000 a little bit later, but for right now, we just want to make sure that the 67 00:03:36,000 --> 00:03:40,000 user is associated with the current user any time we do this. 68 00:03:40,000 --> 00:03:43,000 We've created a new job based on the form. 69 00:03:43,000 --> 00:03:46,000 We forced user to be the current user no matter what. 70 00:03:46,000 --> 00:03:49,000 And now we'll save it, and this should be enough. 71 00:03:49,000 --> 00:03:51,000 Let's check it out. 72 00:03:51,000 --> 00:03:53,000 Now that I'm signed in as Nick, I'll create a new job. 73 00:03:53,000 --> 00:04:02,000 Let's say "Hammock Comfort Specialist." 74 00:04:02,000 --> 00:04:06,000 And this will be for "Hammocks, Hammocks, Hammocks." 75 00:04:06,000 --> 00:04:13,000 "Test the comfort of our new hammocks." 76 00:04:13,000 --> 00:04:16,000 And I'll leave the details link out there. 77 00:04:16,000 --> 00:04:18,000 So, hopefully, when we save this, 78 00:04:18,000 --> 00:04:22,000 we've created a new job, and automatically, 79 00:04:22,000 --> 00:04:26,000 Nick Pettit is associated with this new job. 80 00:04:26,000 --> 00:04:28,000 So, we can go back. 81 00:04:28,000 --> 00:04:31,000 We see we have the new job here by Nick. 82 00:04:31,000 --> 00:04:35,000 We have other jobs by Jim, so it looks like we are now 83 00:04:35,000 --> 00:04:39,000 associating our new jobs with the person who created them. 84 00:04:39,000 --> 00:04:42,000 The next step is to restrict access for editing and deleting 85 00:04:42,000 --> 00:04:45,000 to the person who created it.