Fetch current user in models

0

Dislike

flyerhzm Posted by flyerhzm on August 23, 2010

I don't remember how many times I need to fetch current user in models, such as audit log. Here is a flexible way to set the current user in and fetch the current user from User model.

I don't remember how many times I need to fetch the current user in models, for example, I want to log who creates, updates or destroys a post in the Audit model. There is no default way to fetch the current user in models, current_user object is always assigned in controllers (thanks to authentication plugins, restful_authentication, authlogic and devise), we can pass the current user object from controllers to models, but it is too ugly. I think the better way is to add the current user to User model by Thread.current hash.

class User < ActiveRecord::Base
  def self.current
    Thread.current[:user]
  end
  def self.current=(user)
    Thread.current[:user] = user
  end
end

As you seen, we add two class methods to User model, User.current to fetch the current user and User.current= to assign the current user. So what you need to do is to assign the current user in User model every request you need a current user. Such as

class ApplicationController < ActionController::Base
    def set_current_user
      User.current = current_user
    end
end

class PostsController < ApplicationController
  before_filter :require_user # require_user will set the current_user in controllers
  before_filter :set_current_user
end

Now you can easily fetch the current_user in models by User.current, enjoy it!

model
related best practices:

Comments

eric Posted by eric on 2010-08-24T01:57:41Z

I have used a similar method before except never used the threads (just cattr_accessor). Nice to know the threads might be required.

ngty Posted by ngty on 2010-08-24T05:00:14Z

Very cool tip, but can there be any side effect with using of Thread ? i'm not familar with thread-stuff to start with, that's why for the concern.

flyerhzm Posted by flyerhzm on 2010-08-24T08:11:26Z

@ngty, Thread.current is used to store and fetch the thread local variables. That means two threads have the same variables but these variables are referring to the different memory locations. If you see the rails 3.0.rc source codes, you will find rails also use Thread.current for time_zone, active_record_sql_runtime and etc.

Topper Bowers Posted by Topper Bowers on 2010-08-24T18:47:37Z

I think this kind of breaks the whole MVC pattern that rails is trying to establish. Far better to have the controller pass in a user object. If your models are nicely written, then it doesn't usually look so bad. Even better if you can do stuff like user.permissions.unlock! or something (where you are actually acting on the user).

Far better to say: Permission.unlock!(current_user) than just Permission.unlock! though. It makes it clear in the controller what you are actually doing.

As for the other guys... you should probably not store things in class variables that are mutable per request. Much better to use the Thread.current[] technique if you do need to keep some things available for the whole request.

jemmyw Posted by jemmyw on 2010-08-25T01:35:36Z

I agree with Topper, you don't want to fetch the current user from a model ever.

idahoev Posted by idahoev on 2010-08-25T04:46:09Z

This is a terrible idea. Most servers reuse threads from request to request ... giving you a very easy way to accidentally leak your user authentication from one user to another.

You're essentially just creating a global variable and using it to store data that should be sensitive and persisted only for the current user. It's an awful no-no.

Models aren't supposed to have direct access to session state; it's outside their jurisdiction and a violation of separation of concerns.

Since you'd have to call User.current= from the controller anyway, you should just let the controller handle it. If your model needs to associate with the current user, pass the current user to the model when the controller creates it.

flyerhzm Posted by flyerhzm on 2010-08-25T07:10:38Z

@Tropper, @jemmyw, @idehoev, I know the way to fetch current user in models violates the MVC pattern.

In my opinion, patterns are very important, I always think what are the benefits some design pattern brings us, and what are the disadvantages. MVC pattern decouples the views and models, and increases the flexibility and maintainability of codes. In general, we should always follow this pattern, but if it makes my codes too complex to follow it, I will violate it.

For example, we have a collaborative system, and we want to log who creates, updates or deletes an item (maybe a question, a post or other things), we use Observer to track all of the operations when item is created, updated and destroyed, it makes things much easier if we can access the User.current in Observer.
You may say we can do the track logic in the controllers, but that means you have to write your track logic all over the controllers, because the track logic is depend on models.

I just give you a solution to fetch the current user from models, you can decide to use it or not, I think it depends on whether it makes your codes simple and easy.

madsheep Posted by madsheep on 2010-08-25T08:06:03Z

This is the worst 'best' practice i have ever seen. Broken mvc model, bloated threads, code confusion... It has it all.

@eric - you s'd realy refactor your application, using just cattr_accessor is not thread safe!

eric Posted by eric on 2010-08-25T14:53:37Z

Is knowing the current user really a controller only issue? Or do we think this is only a controller issue because HTTP is stateless and the controller happens to be where we layer a stateful environment into our app. If this were a desktop app would we consider knowing the current user something that it out of the scope of the models?

User.current provides a defined interface. The models know that User.current stores the current user (if there is a current user). They don't care how that value get's set (that is a concern for the specific environment that the model is being run in). In a desktop app we might set it when the app launches. On a web-app we reset it every time a request comes in to simulate a stateful environment on a stateless protocol. At the console we might set it prior to carrying out ad-hoc operations. Regardless of the environment the models have a defined API for knowing the current user that they can use in their Observers, callbacks, etc. This is great for things like logging actions (like @flyerhzm mentions) or for things like model-level security.

I'm not saying that in all cases you should have this API. For simpler models you might just want to do something like current_user.posts.create params[:post] to create a Post that has the current user attached. But for more complex models and observers it might be necessary for them to know the current user to carry out their operations. Having User.current as a defined API for determining the current user (and then in the case of a web-app set that variable on each request) seems like a reasonable approach.

cmingxu Posted by cmingxu on 2010-08-26T02:05:12Z

I agree with eric, sometimes we do need have access to current_user in model. And i do not think current_user have any issue with "Thread" beacuse it just per request thing, setting User.current_user and
handling the other thing just *for* response to the request.

smitjel Posted by smitjel on 2010-08-28T04:09:25Z

So is this pretty much the same as sentient_user?

Also, to the folks saying this breaks MVC...flyerhzm is using this method as a form of aspect oriented programming. He's able to access the current user from the Observer so he doesn't have to duplicate that code all over controllers. That's a very useful pattern. I'd like to see how you accomplish the same thing without "breaking MVC" and duplicating code.

spyromus Posted by spyromus on 2010-08-31T12:31:36Z

-1 for this one

@smitjel, MVC isn't broken here. What's broken is the chain of responsibility. Current user is part of the request / session context. User model sits underneath and "knows" nothing about where it's used. I can open console and start using User model without even making a request to the app through the controller stack.

Moreover, current_user makes no sense on the model level if the app is designed correctly. The practice itself gives a sign that the design is somewhat smelly. I assume that there are models that need some user (a post needs an author, a friend needs... well... a friend etc), but to them "user" instance is just another object that doesn't have that additional burden of being mystically "current".

To illustrate my point, imagine a scenario when you are logged in as an admin user and impersonating someone. This feature is quite common, but who will be your current_user in this case? Will you add another field to the User model and "teach" whole bunch of models in your domain to respect these two? Is that going to be DRY?

My solution would be to leave it to the controller to decide who's current and what user instance to give to models. Traditionally, current_user is the method of ApplicationController and a helper method at the same time to be available in the views. If you Surgeon model needs a user, send her through the door; don't ask a User model who's current today.

giuseb Posted by giuseb on 2011-07-24T15:29:32Z

I agree with those who believe that the identity of the current user is, far from a mystical notion, a useful piece of information to have in the model layer, and I fail to smell bad smells or understand how the practice breaks anything (rotten eggs?)

For example, when I submit this comment, the Comment model will presumably have a user_id field to fill, right? Assuming that this forum requires authentication before allowing comments, then user_id will only and always be assigned the current_user's id, and that, to me, is business logic.

In practice, from the controller one can of course pass current_user as an additional parameter to the call to the model, as some suggest. Others prefer setting User.current in advance, so that it can be repeatedly referred to within the model layer, and I personally like this approach.

What I am not sure I understand, stylistic considerations aside, is the safety of the solution proposed by flyerhzm.

idahoev says it's a big no-no, that the possibility exists for sensitive data to persist and leak to other sessions. flyerhzm, in his reply, does not seem to specifically address the concern.

Can anyone please help discriminate between the beauty of the pattern (or lack thereof) and its safety?

Thanks!

anonymous Posted by Jo on 2011-07-27T15:16:26Z

The API documentation for Observer suggests using the class in order to avoid burdening the model with functionality that "doesn't pertain to the core responsibility of the class". That's wide open for interpretation and uses.

The one example the API doc gives is simple--logging some strings. When you start applying Observer to more complex uses, you realize that the class is incomplete. It should provide a binding or be relocated to another module where it has access to more information.

I find the Thread technique to be the least offensive but I have a problem with it because it splits observation between controller and model. Why not just do everything in the controller?

This kind of problem points out the fact that you can't do everything strictly adhering to MVC. But I don't think having part of the code in one class and another part in a different class is the solution. This Observer class needs to be refactored to a location where it works for any use.

anonymous Posted by workdreamer on 2011-08-12T16:44:06Z

Thank you! Helps a lot!

anonymous Posted by nroose on 2011-10-26T18:39:58Z

I am on a project that used to use Thread to store something that user-related. It was always something that we said should change. Then we "fixed" it to be sent in from the controller to every model call that needed it. Sure is a pain in the ass. Glad we don't have to do that with Time Zone. And it sure would be nice if current_user was available everywhere like Time Zone is. I don't know if Thread is the right place, but it seems like there should be some place that would be a good place. Perhaps a reference to the session would be nice... And I don't understand why people get up in arms when we do the same thing with user and other user data that we do with time zone. Time zone is inherently an attribute of the user, as are the user id, and other information about the user. I really think all session info should be available everywhere... That would be convenient like time zone. Or, if there is really a good reason to keep it available only in the controller, then time zone should be handled that way too.

anonymous Posted by Tristan Kromer on 2011-12-21T09:19:25Z

Awesome! This worked like a charm for me and is just what I needed. Thanks!

anonymous Posted by entrepro on 2012-01-20T18:24:42Z

Hi Eric,
This is thought-provoking. Thanks for sharing. For a moment, I liked the idea. I am new to rails paradigm, so its possible that I might be over thinking this. But, what about thread safety? I have read that rails is single-threaded, but I am a noob and don't know whether any context-switching every happens between threads. Is User.current not effectively a singleton? If so if there is a possibility of thread context switches, this method can a) lead to data integrity issues or b) if rails is implicitly guaranteeing thread safety then race conditions etc. are possible...

As I said, I just got started with rails, and I would like to hear your and others' thoughts on this topic from this angle.

Thanks for raising the topic.

-TS
Post a comment

  1. Note: if you are a registered user, you can log in without input username.

    2. You may use ONLY these HTML tags to format your comment:

    <a href="" title=""> <b> <blockquote> <pre> <code> <em> <i> <strong>

    Use <pre><code>...</code></pre> for multi-line codes.

    Do not use <p> tags. Just use newlines.

Fork me on GitHub