I've done the Michael Hartl's Tutorial and now I'm using it to build a project. For Authentication/Authorization I'm basically using the same code from the tutorial and the sample app that I built with it. In my project though the signout (destroy session) is not working. After clicking the signout link it does the redirect to the home page but it has the wrong links in the navigation and I can still access pages I shouldn't be able to (indicating that I'm still signed in) and I can't figure out what's wrong. Any ideas?
Sessions Controller
class SessionsController < ApplicationController
def new
render 'new'
end
def create
user = User.find_by_email(params[:session][:email])
if user && user.authenticate(params[:session][:password])
sign_in user
redirect_to user
else
flash.now[:error] = 'Invalid email/password combination'
render 'new'
end
end
def destroy
sign_out
redirect_to root_path
end
end
Sessions Helper
module SessionsHelper
def sign_in(user)
cookies.permanent[:remember_token] = user.remember_token
self.current_user = user
end
def signed_in?
!current_user.nil?
end
def current_user=(user)
@current_user = user
end
def current_user
@current_user ||= User.find_by_remember_token(cookies[:remember_token])
end
def current_user?(user)
user == current_user
end
def sign_out
self.current_user = nil
cookies.delete(:remember_token)
end
end
Header Links
<header>
<h1><%= link_to image_tag('logo.gif'), root_path %></h1>
<div id="login-sec">
<div class="login-row">
<div class="col">
<% if signed_in? %>
<ul>
<li><%= link_to "Signout", signout_path, method: "delete" %></li>
</ul>
<% else %>
<ul>
<li><%= link_to "Forgot Password", "#" %></li>
<li class="last"><%= link_to "New user register here", signup_path %> </li>
</ul>
<br /><br /><center><%= link_to image_tag('go-btn.png'), signin_path %></center>
<% end %>
</div>
</header>
User Model (where remember token is created)
class User < ActiveRecord::Base
attr_accessible :company, :name, :email, :password, :password_confirmation
has_secure_password
before_save { |user| user.email = email.downcase }
before_save :create_remember_token
validates :name, presence: true, length: { maximum: 70 }
VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
validates :email, presence: true,
format: { with: VALID_EMAIL_REGEX },
uniqueness: { case_sensitive: false }
validates :password, presence: true, length: { minimum: 6 }
validates :password_confirmation, presence: true
private
def create_remember_token
self.remember_token = SecureRandom.urlsafe_base64
end
end
Routes File
App::Application.routes.draw do
resources :users
resources :sessions, only: [:new, :create, :destroy]
root to: 'static_pages#home'
match '/about', to: 'static_pages#about'
match '/contact', to: 'static_pages#contact'
match '/signup', to: 'users#new'
match '/about-yourself', to: 'users#about-yourself'
match '/signin', to: 'sessions#new'
match '/signout', to: 'sessions#destroy', via: :delete
Figured it out. I made users before I put in the signout actions, so I could test out the signin and signup actions. No remember token was created for these users so they were always signed in and there was no remember token to destroy