Adding new admins using device - ruby-on-rails

I need to make three admins on the web page I am developing.
Admins will have access to view all the users.
When I follow the instructions, the current user is being made the admin. I need to add two more to my admin list.
I have device gem installed in it.

You need to post a lot more detail. I'll take a bit of a shot in the dark:
You've made a new model, Admin, which is different from User, right? If you want new admins, you'll need to create them. Admin.create(admin_params) and such. Users are not and cannot be admins.
If you want your admins to also be users, you're better off following option 2 in the how-to guide, adding an 'admin' boolean property to the user model. Then you can set any user an admin with some_user.update_attribute :admin, true (and all the ways you'd normally manage model attributes) and test for it with current_user.admin?

Related

Devise and discourse: Seperate devise users for vendors and users or just one devise for users?

I'm building a website, where vendors can have their own separate website on. There is vendors and normal users.
The goal is to have a closed profile page w. login for both, where a vendor can edit his website, check out stats and more. A normal user is also able to login to mark different vendor's websites as favourites and check out newest post on the forum. So what is important here is: They booth need to be on my Discourse forum, but I'd like to avoid a Vendor to have a login both for vendor and for a user (Signing up twice).
http://www.discourse.org/ has SSO ability for devise, but im not sure if it allows for two different devise models.
Should I:
Create one devise-model for both, called Users? (And have a boolean or integer if User is a vendor/has vendor-access?)
Or:
Separate them: One for Users and one for Vendors?
I haven't tested out if Discourse allows for two devise-models, since Discourse is the easiest to set up in production-mode. But I need your advice: Can I use Single sign-on for devise with two different devise models? Is it the preferable way? Or is there other ways than this I haven't noticed? Like adding a user to a vendor, or something?
Using rails 5
We can achieve this by managing role field. We can make entry on the time of sign_up in role field that user is normal user or vendor. After create this we check user_role can in after_sign_up_path and redirect to path accordingly.
for this refer gem rolify
please correct me if getting any thing wrong.

Controller logic for two different type of users

In my project i have three different categories of users:
Guest
Registered
Admin
If a Registered user is logged in, I want to show them (if they click on a button) their orders.
The Admin instead can see the orders of all the users. I can use OrdersController to show things to the Registered user.
Is it necessary to create a new controller for the Admin , or I can use a if the user is a admin do this clause in the same controller(say OrdersController) that I use for the Registered users?
There's no single right answer to this question, it really depends a lot on your code, your app, your use cases, and a whole bunch of other detail that you haven't provided (and that this is not the best forum for).
So, generally the administration tasks are so distinct from the regular users that people create new controllers for them, usually under their own Admin:: namespace.

Rails, managing access of dashboard pages by models roles. Using devise

I am creating dashboard appliaction on Rails4. I have created model Partner with some data. I also have created a lot of models with views that will be associated to this Partner.
I can edit data of all models without any restrictions. Now I want to create Admin, that will login to my app and will manage data. Admins will be added via console and it does not need registration.
Also I want to make Partners to login/register too. Partners can only open pages that are connected to their data and edit them.
Here my questions depending on this situation:
How to remove registration element from Admins not affecting to Partners?
How to restrict Partners to only their own pages while Admins can be everywhere?
Is it good approach to make Admins and Partners to edit data on same dashboard, or I need to create different controllers with different views for Admins and Partners separately?
You should be able to do everything you're discussing by using a gem for handling authorization ( authority ) and one for roles ( rolify )
https://github.com/nathanl/authority
https://github.com/RolifyCommunity/rolify
You shouldn't have to create distinct views/controllers, however, depending on how divergent they are it may be appropriate. You should be able to do most of that logic by using logic to switch based on the permissions you set up.
current_user.can_edit?(page)
within the Authorization setup, you would have to determine who can edit/view/create/etc. There's a good writeup for doing this in the authority wiki.

Declarative Authorization: restrict model actions on specific attributes

I'm quite new to rails and I'm trying to setup an authorization system that allows me to control which attributes of a model can be modified by a user.
I use declarative_authorization for a role based authorization. This already provides me quite a lot of functionality: restrict what the user can see in the view depending on his roles, which actions he can perform in the controllers and basically also which actions he is allowed to do on the model.
However, I just can't find an answer on how to restrict the actions on specific attributes of a model depending on the role.
Example:
A user that has a :guest role is allowed to update certain attributes of a user-account: When he tries to log in with a wrong password, I want to update a specific field of a user-account that will make this account inactive. The :guest role should however never be able to change the nickname of this user account.
I therefore use the "using_access_control" method in my user-model, but this either gives "update" privileges on an account for all attributes or no "update" privilege at all depending on the role.
I understand that "strong_parameters" is a gem that would basically make such functionality available but I have no clue on how to fit both "declarative_authorization" and "strong_parameters" together or how to do it simply with "declarative_authorization".
Can somebody point me to the solution?
Many thanks!
Authorization::Maintenance::without_access_control do
# do something
end
I hope this was helpful.

How Do I Create a User Profile With Devise?

I really like how devise offers an easy to use registration system out of the box but I'm having trouble extending it to do what I need. I need to create a public user profile for each user that shows their information like name, email, bio, and more info. I've done this in the past before with a users/show function but since devise doesn't provide any easily editable controllers, I'm having trouble figuring out how to do this. I've already run rails generate devise:views to copy the devise views to my app but I don't know where to go from here. Any help would be much appreciated.
Sounds like you want users to update their profile at the same time they create their account? If so, you can setup an associated Profile model with the User model. Using accepts_nested_attributes_for you can then create a record for the nested model on devise user registration submit/creation.
Here's a great screencast covering nested models and I also suggest you search other devise relate SO posts as this question has been discussed before.
There is an alternative approach, that is simpler to implement — only allow registered users edit/update their profile. This way you don't have to alter the Devise views and you can setup the various CRUD actions via a separate non-devise controller.
Throw in an Access Control List (ACL) solution such as CanCan (there are other alternatives too!) and you can even allow other users view profiles but deny access to edit/destroy etc.

Resources