Test RIALTO Web App 2025
rails db:migrate
rails s
Quick start with a logged in user with workgroup access:
bin/dev
Note that the login button doesn't do anything in localhost since shib is not available. You can simulate a logged in shib user with an environment variable:
REMOTE_USER=peter rails s
A logged in user in a single workgroup:
REMOTE_USER=peter ROLES=sul:rialto rails s
A logged in user in multiple workgroup:
REMOTE_USER=peter ROLES=sul:rialto;sul:dlss rails s
There are three base controllers that determine access levels:
- PublicController - any controllers which subclass from this controller will have views that are visible to anyone
- StanfordController - any controllers which subclass from this controller will have views that require the user to be webauthed (but no specific workgroups are checked)
- RestrictedController - any controllers which subclass from this controller will have views that both require a user to be webauthed, in addition to be part of the workgroup defined in the settings.yml file (as checked in the RestrictedPolicy)
Note that if required you can create additional policies and additional controllers to check membership in other workgroups. You will need to be sure that the additional workgroups you are checking membership for are passed through from shibboleth to the app on login. This requires filing an Ops ticket, e.g. https://github.com/sul-dlss/operations-tasks/issues/4238
If you need more flexibility within a controller, you can make the controller public and then restrict specific views with different actions protected by different policies by adding something like this in the method: authorize! to: :view?, with: StanfordPolicy. See OrcidAdoptionController for an example.
In views, you can test a user's access level like this:
<% if authenticated? && allowed_to?(:view?, :stanford) %>
<--> stanford only stuff <-->
<% end %>
<% if authenticated? && allowed_to?(:view?, :restricted) %>
<--> business case stuff <-->
<% end %>
If you need to do this in a component view, add this to your component:
delegate :authenticated?, :allowed_to?, to: :helpers
Tableau dashboards can be embedded using the DashboardEmbedComponent. If the dashboard requires authorization to view, you should first have the view mint a JWT token for the connected app, and then pass the generated token (in @token) to the DashboardEmbedComponent. The token is generated by adding a before_action in the controller like this:
before_action :mint_jwt_token
Note that this should be only be done in views that are behind auth, since the JWT token generation code depends on there being a logged in user.
All of the below checks are part of the default Rake task, and so will run if you call bin/rake.
You can run individual checks with the following commands:
Run lint:
bundle exec rubocop
bundle exec erb_lint --lint-all --format compact
Run tests:
bundle exec rspec
Run Brakeman (static security analysis):
bin/brakeman