From RAD Lab

Lab 3: Add logins with passwords to Student app

Note: Once again, I managed to not get all the way to the end of my prepared lecture. But come to Hack Session this Thurs/Fri and I will tell you about the flash, the hash, and controller filters, all of which you'll want to understand to do this lab. Or if you prefer, you can learn most of this yourself from the Rails book in the "Administrivia" chapter of the development of the Depot test application.

1. First iteration: Add a simple login and password capability to the Student app. Initially, just store the password as a plain text field. (Yes, a terrible idea, but this is just for practice.) You'll have to create a login view, and if the login is successful, use the Session to record this fact; on the other Student views, just display somewhere on the page "Logged in as XXXX" if there is a logged-in user, or nothing if there is no logged-in user. (Hint: use view layouts to do this.)
2. Second iteration: instead of storing the password in plain text, store it in encrypted form; when user logs in, encrypt the string they typed as the password, and compare it with the stored encrypted version. The easiest way to do this will be to define a setter (attr_accessor) for "password=" that saves the encrypted password if you try to assign to the 'password' attribute of a Student record. See the "Administrivia - Logging In" section of the Rails book for an example of how to do this. At this point, write a functional test to verify your login method works.
3. Third iteration: require that the user be logged-in in order to do any controller actions (except, of course, the login action itself!). You can do this using a before_filter.
4. Fourth iteration: add an "is_admin" field to the Student record, and mark certain students as Admins. Restrict certain controller actions (you choose which ones) to admins-only. Write a functional test to verify this behavior.