Thanks to Zack for this recipe
The problem:
How to add a lightweight extra layer of authorisation for a closed beta test when you already have your auth in place.
The solution:
Add a simple codeword auth to the app that doesn’t interfere with your existing authorisation scheme, and takes 5 minutes to add. It means beta testers can see the site as guests as well as logged-in users.
It’s also easy to adapt so that more, or less, of the app can be revealed over time.
How it works:
In your environment config (/config/environment.rb) put the following:
module YOUR_APP
PREVIEW_KEY = 'your_app_007'
end
In your application controller (application.rb) put the following:
class ApplicationController < ActionController::Base
def ensure_covertness
return true if request.env['SERVER_NAME'].nil? ||
request.env['SERVER_NAME'].include?('localhost')
if session[:preview_key] != YOUR_APP::PREVIEW_KEY
redirect_to :controller => 'index', :action => 'preview' and return false
else
true
end
end
end
In your front page controller (in this example index_controller.rb) put the following:
class IndexController < ApplicationController
before_filter :ensure_covertness, :except => :preview
def preview
if request.post? && params[:code] == YOUR_APP::PREVIEW_KEY
session[:preview_key] = YOUR_APP::PREVIEW_KEY
redirect_to :action => 'index'
else
render :layout => false
end
end
end
Then create preview.rhtml in (views/index/):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Preview</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body style="text-align: center; margin-top:100px"
onLoad="document.forms[0].elements[0].focus();">
<%= start_form_tag %>
<%= password_field_tag 'code' %>
<%= submit_tag 'Submit' %>
<%= end_form_tag %>
</body>
</html>
Now put this line in every controller you don’t want the public to see:
before_filter :ensure_covertness
Alternatively, put this in the application controller, and then put the following in the index controller if you don’t want any of the site revealed to the public:
skip_before_filter :ensure_covertness, :only => :preview
Issues
Compared with webserver authorisation (at least digest type) it’s obviously not nearly as secure, but does tie in neatly with the app, allowing you to easily reveal bits of it at a time (a lot more fiddly).
You could also, for example, make the main page (preview.rhtml) that people see one that gives a tour of the soon-to-be revealed site and captures email addresses.
You can also easily just restrict it to production (or any other) environment.
Not rocket science, but as long as you’re aware of the potential downsides, works pretty well.
Thanks to Zack for this recipe
The problem:
How to add a lightweight extra layer of authorisation for a closed beta test when you already have your auth in place.
The solution:
Add a simple codeword auth to the app that doesn’t interfere with your existing authorisation scheme, and takes 5 minutes to add. It means beta testers can see the site as guests as well as logged-in users.
It’s also easy to adapt so that more, or less, of the app can be revealed over time.
How it works:
In your environment config (/config/environment.rb) put the following:
module YOUR_APP
PREVIEW_KEY = 'your_app_007'
end
In your application controller (application.rb) put the following:
class ApplicationController < ActionController::Base
def ensure_covertness
return true if request.env['SERVER_NAME'].nil? ||
request.env['SERVER_NAME'].include?('localhost')
if session[:preview_key] != YOUR_APP::PREVIEW_KEY
redirect_to :controller => 'index', :action => 'preview' and return false
else
true
end
end
end
In your front page controller (in this example index_controller.rb) put the following:
class IndexController < ApplicationController
before_filter :ensure_covertness, :except => :preview
def preview
if request.post? && params[:code] == YOUR_APP::PREVIEW_KEY
session[:preview_key] = YOUR_APP::PREVIEW_KEY
redirect_to :action => 'index'
else
render :layout => false
end
end
end
Then create preview.rhtml in (views/index/):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Preview</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body style="text-align: center; margin-top:100px"
onLoad="document.forms[0].elements[0].focus();">
<%= start_form_tag %>
<%= password_field_tag 'code' %>
<%= submit_tag 'Submit' %>
<%= end_form_tag %>
</body>
</html>
Now put this line in every controller you don’t want the public to see:
before_filter :ensure_covertness
Alternatively, put this in the application controller, and then put the following in the index controller if you don’t want any of the site revealed to the public:
skip_before_filter :ensure_covertness, :only => :preview
Issues
Compared with webserver authorisation (at least digest type) it’s obviously not nearly as secure, but does tie in neatly with the app, allowing you to easily reveal bits of it at a time (a lot more fiddly).
You could also, for example, make the main page (preview.rhtml) that people see one that gives a tour of the soon-to-be revealed site and captures email addresses.
You can also easily just restrict it to production (or any other) environment.
Not rocket science, but as long as you’re aware of the potential downsides, works pretty well.