Forcing Users To Log In (Ruby on Rails)

Although I demonstrated protecting a page from access by a user who wasn’t logged in back when we did the Forest controller for combat, I didn’t protect either the Bank or Healer pages when we did them. It’s easy enough to commit that kind of mistake now, but ten times easier when your pages are much more complicated and you’re trying to get your game finished. In this entry we’ll not only fix both of the pages we missed, we’ll set it up so all the future pages we add are protected automatically from access by a user who isn’t logged in.

The way that occurs to you first is to fix all the controllers individually. That is, add the “before_filter…” line to bank_controller.rb, healer_controller.rb, etc. But that has two problems with it. One is that it is repeating ourselves and Rails is always trying to teach you “Don’t Repeat Yourself” and the other problem is that it is error prone. It’s too easy to add a new controller for some new pages and forget to put security on them.

What we want in all cases is for security to already be there and we just turn it off in those few cases where we don’t need it rather than having to remember to do so when we do need it.

So we’ll remove the “before_filter :login_required” line from the forest_controller.rb and move it instead to the application.rb file. Since all our other controllers inherit from this one controller, every method on all of them will be instantly protected. In fact, we’re now a little too protected, the user can no longer go to even the welcome page without logging in first.

In order to fix that, we’ll add an override to three controllers. The Welcome controller (welcome_controller.rb), the Users controller (users_controller.rb), and the Sessions controller (sessions_controller.rb):

skip_before_filter :login_required

With that in place we’ll skip the login requirement just for the pages related to those three controllers but the bank, healer, forest, and any other controller we add from now on will be protected from entry by users who haven’t logged in yet.

Authorization Is Not Authentication

I almost made this an extra credit item but it became too long and it’s a basic thing that most any game is going to have to deal with eventually. Authentication and authorization are not the same thing. All we have gotten so far from restful_authentication is just that, authentication. It lets someone sign up in the system and then verifies later via login name and password that the person trying to log in is a person the site has seen before and specifically which one it is.

Authorization is about permission to do things. Once I know who logged in, what is he or she allowed to do? Play the game, kick out duplicate accounts, end the game? restful_authentication has hooks built in which can be used with other plugins to manage complicated permission systems but you can also easily stick some simple testing in yourself. Let’s add a page which can only be accessed by a select user to demonstrate this.

> ruby script/generate controller Admin index

Update your new Admin controller (app/controllers/admin_controller.rb) to add the authorized? function you see below:

class AdminController < ApplicationController
  def index
  # By adding a function named "authorized?" and performing a test in it
  # we use one of the hooks provided by restful_authentication.
  def authorized?
    current_user.login == "Admin"

Now try to go to the admin page (http://localhost:3000/admin). If you create a user named “Admin” then you will be able to access the page when you are that user. Any other user will fail and will be automatically redirected.

Wish there was more?

I'm considering writing an ebook - click here.


John Munsch is a professional software developer with over 20 years experience. He created a series of game development sites (XPlus and on his own before co-founding in 1999. The blog for his PBBG work is located at

Tags: ,

Monday, October 6th, 2008 buildingbrowsergames, code, medieval
blog comments powered by Disqus


Building Browsergames is a blog about browsergames(also known as PBBG's). It's geared towards the beginner to intermediate developer who has an interest in building their own browsergame.


Got Something to Say?

Send an e-mail to, or get in touch through Twitter at