Search code examples
ruby-on-railsdeviseruby-on-rails-5warden

how to apply :session_limitable at a specific user ? (devise-security )


I use the gem currency-security https://github.com/devise-security/devise-security I apply: session_limitable to my model user, it works very well. But then my model user has several statuses, how can I apply: session_limitable only to users of status "mystatus" and not to others for example? (without creating additional models)

class User< ApplicationRecord

 devise :session_limitable (only if user.status == "mystatus")

end

Solution

  • From what I can tell this gem doesn't offer per object behaviour. You either get all or none.

    In fact, even if you'd like to overload some methods you can't because the hooks that are responsible for this functionality (they are defined here: https://github.com/devise-security/devise-security/blob/master/lib/devise-security/hooks/session_limitable.rb)

    aren't really written in a way that let's you do it.

    In your place I would probably either:

    1. fork the gem and make it more customizable (and submit a PR)

    2. have your own custom session_limitable solution (This doesn't look very hard)

    Thus being said here is a hacky solution that you may find helpful:

    if you override respond_to? method in your User model and have some custom business logic in it (like checking for user status) then you can make the hooks that are fired in the Warden after_set_user behave in a way that you want to.

    def respond_to?(method_name, include_private = false)
      if method_name.to_s == 'unique_session_id' && self.status == 'mystatus'
        false
      else
        super
      end
    end