Thanks to Zack for this recipe

The problem:

How to add a lightweight extra layer of authorisation for a closed beta test when you already have your auth in place.

The solution:

Add a simple codeword auth to the app that doesn’t interfere with your existing authorisation scheme, and takes 5 minutes to add. It means beta testers can see the site as guests as well as logged-in users.

It’s also easy to adapt so that more, or less, of the app can be revealed over time.

How it works:

In your environment config (/config/environment.rb) put the following:

module YOUR_APP
 PREVIEW_KEY = 'your_app_007'
end

In your application controller (application.rb) put the following:

class ApplicationController < ActionController::Base

 def ensure_covertness
   return true if request.env['SERVER_NAME'].nil? ||
request.env['SERVER_NAME'].include?('localhost')
   if session[:preview_key] != YOUR_APP::PREVIEW_KEY
     redirect_to :controller => 'index', :action => 'preview' and return false
   else
     true
   end
 end

end

In your front page controller (in this example index_controller.rb) put the following:

class IndexController < ApplicationController

 before_filter :ensure_covertness, :except => :preview

 def preview
   if request.post? && params[:code] == YOUR_APP::PREVIEW_KEY
     session[:preview_key] = YOUR_APP::PREVIEW_KEY
     redirect_to :action => 'index'
   else
     render :layout => false
   end
 end

end

Then create preview.rhtml in (views/index/):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Preview</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body style="text-align: center; margin-top:100px" 
onLoad="document.forms[0].elements[0].focus();">

<%= start_form_tag  %>
 <%= password_field_tag 'code' %>
 <%= submit_tag 'Submit' %>
<%= end_form_tag %>

</body>
</html>

Now put this line in every controller you don’t want the public to see:

before_filter :ensure_covertness 

Alternatively, put this in the application controller, and then put the following in the index controller if you don’t want any of the site revealed to the public:

skip_before_filter :ensure_covertness, :only => :preview 

Issues

Compared with webserver authorisation (at least digest type), which is the other obvious solution to this problem, it’s obviously not nearly as secure, but does tie in neatly with the app, allowing you to easily reveal bits of it at a time (a lot more fiddly).

You could also, for example, make the main page (preview.rhtml) that people see one that gives a tour of the soon-to-be revealed site and captures email addresses.

You can also easily just restrict it to production (or any other) environment.

Not rocket science, but as long as you’re aware of the potential downsides, works pretty well.