Authentication Problem - not recognizing 'else' - Ruby on rails

I can't seem to figure out what I am doing wrong here. I have implemented the Super Simple Authentication from Ryan Bates tutorial and while the login portion is functioning correctly, I can't get an error message and redirect to happen correctly for a bad 开发者_JAVA技巧login.

Ryan Bates admits in his comments he left this out but can't seem to implement his recommendation. Basically what is happening is that when someone logs in correctly it works. When a bad password is entered it does the same redirect and flashes 'successfully logged in' thought they are not. The admin links do not show (which is correct and are the links protected by the <% if admin? %>) but I need it to say 'failed login' and redirect to login path. Here is my code:

SessionsController

class SessionsController < ApplicationController
   def create
      if 
      session[:password] = params[:password]
      flash[:notice] = 'Successfully logged in'
      redirect_to posts_path
    else
      flash[:notice] = "whoops"
      redirect_to login_path
    end
  end

    def destroy
      reset_session
      flash[:notice] = 'Successfully logged out'
      redirect_to posts_path
    end
  end

ApplicationController

class ApplicationController < ActionController::Base

  helper_method :admin?

  protected

  def authorize
    unless admin?
      flash[:error] = "unauthorized request"
      redirect_to posts_path
      false
    end
  end

  def admin?
    session[:password] == "123456"
  end

  helper :all # include all helpers, all the time
  protect_from_forgery # See ActionController::RequestForgeryProtection for details
  # 
end

You need to use Ruby's comparison operator == rather than the assignment operator =. Your create action should be:

def create 
  if session[:password] == params[:password] 
    flash[:notice] = 'Successfully logged in' 
    redirect_to posts_path 
  else 
    flash[:notice] = "whoops" 
    redirect_to login_path 
  end 
end 

Edit: The problem is that nowhere in your SessionsController are you actually checking the entered password against the correct password. Change your create method to this:

def create 
  if params[:password] == '123456'
    session[:password] = params[:password]
    flash[:notice] = 'Successfully logged in' 
    redirect_to posts_path 
  else 
    flash[:notice] = "whoops" 
    redirect_to login_path 
  end 
end

It's not ideal having the password hard-coded like this and storing it in the session for use by the admin? helper method, but this is supposed to be super simple authentication.

    if  #YOU MISSING SOMETHING HERE WHICH Returns TRUE IF USER IS VALID
      session[:password] = session[:password]
      flash[:notice] = 'Successfully logged in'
      redirect_to posts_path
    else
      flash[:notice] = "invalid login"  #CHange if messaage for invalid login
      redirect_to login_path
    end

it must be

    if   session[:password] == params[:password]

You never have a fail condition due to:

if session[:password] = session[:password]

This will always be true. You probably want something like:

if session[:password] == 'canihazpasswrd' then
  do_something_here

Edit: Refer @john's answer. :)

Try this:

  def create
    if session[:password] == '123456'
      flash[:notice] = 'Succesfully logged in'
      redirect_to home_path
     else
      flash[:notice] = "Incorrect Password!"
      redirect_to login_path
    end
  end

The thing is that the tutorial you used does no user's authentication. It only checks if the login belongs to an admin, so some content will be showed.

This way you'll never have wrong login/password, just admin/non-admin.