Users can edit their profile at mydomain.com/users/3/edit. But they can also visit mydomain.com/users/7/edit (or any other ID).
It doesn't actually affect the data at all, since I'm just using current_user but I'd like to change the path to mydomain.com/profile/edit. Currently just using:
resources :users
How would I alter this? Is it as simple as just adding below line, or is there a cleaner way of doing it?
get 'profile/edit', to: 'users#edit'
Also, what about to block 3rd party users to edit ?
In users_controller.rb
before_action :correct_user, only: [:edit, :update, :destroy]
private
def correct_user
redirect_to(root_url) unless current_user == #user
end
Related
I am having an issue trying to use the cancan authorization. I have users with one role per user, so I added user.role column as suggested in the cancan wiki.
I also have an index view for kindergardens and another index view for children.
What I am trying to achieve is to only allow access to the index views to the corresponding users with role kindergarden or parent (for children).
When I now authorize Kindergardens in kindergardens controller nobody is allowed to access the index view, although I defined it in my ability model.
Help would be much appreciated. I have no idea what I am missing...
Ability model:
class Ability
include CanCan::Ability
def initialize(user)
[...]
elsif user.role == 'kindergarden'
can [:update, :destroy], Kiga do |kiga|
kiga.user_id == user.id
end
can :read, Kiga do |kiga|
kiga.user_id == user.id
end
can :index, Kiga
can :create, Kiga
else
end
Kindergardens controller:
class KigasController < ApplicationController
before_action :set_kiga, only: [:show, :edit, :update, :destroy]
# GET /kigas
# GET /kigas.json
def index
#kigas = Kiga.all
authorize! :index, #kiga
end
You define your abilities as blocks and that needs to have instances. In index actions you have only Active Record scopes, not actual instances.
Btw you have a typo in controller code:
def index
#kigas = Kiga.all
authorize! :index, #kigas # was #kiga that is nil probably
end
See the docs:
The block is only evaluated when an actual instance object is present. It is not evaluated when checking permissions on the class (such as in the index action).
In this case you can use hashes of conditions
can [:update, :destroy], Kiga, user_id: user.id
Got solution
def index
#kigas = Kiga.all
authorize! :index, Kinga
end
I'd like to give some more rights to my admin users that the regular users, here are my before_action :
# users_controller.rb
before_action :correct_user, only: [:edit, :update, :show]
before_action :admin_user, only: [:destroy, :index, :admin_toggle]
So if you're the correct user, you can : edit, update, show your own profile.
If you're an admin_user, you can see the list (index), destroy your own profile, toggle admin any user, edit/update/show your own profile (admin_user is also a correct_user).
I'd like an admin_user to be able to edit, update, show others members profiles : do I need to write specific methods or is there a trick with before_action to do ?
It seems to be like admin_user should have the rights of correct_user -with any user ID given-.
If you use somekind of specific authentication tools like Devise for ex. then I suggest implementing authorization solution with
cancancan gem. You have a specific ability file there under your models directory where you can declare access-rights for different user roles.
Makes your future code much cleaner and easier to read also.
###EDIT:
As previous answer points out then there is also a CanCan gem but as much as I know then it is not supported in Rails4. While writing this answer, CanCanCan build-status in github is marked as failing but I've been using it for a long time now in my projects and I'm happy :)
###
ability.rb example:
def secretary_abilities
can [:create, :read, :update], Person
end
def superadmin_abilities
# superadmin can do everything that secretary can
secretary_abilities
# ...and can also do destructive actions
can [:destroy], Person
end
After that you can add checks into your views like this:
<% if can? :show, Person %>
<%= link_to 'Show', person_path(#person) %>
<% end %>
Currently, my Users database has a column called "admin" with a boolean value and the default set to false. I have one admin user seeded into the database.
How do write my application so that users who are the admin can create new users, but users who are not cannot? (Also, users should be created only by the admin)
It seems like there should be a simple way to do this in devise that does not involve using some external module. So far however, I have not been able to find a satisfactory answer.
I would be more likely to mark the solution which is devise only. (One that is simply standard MVC/Rails solution a plus) However, if there really is a better way to do it that doesn't involve CanCan I may accept that too.
NOTE:
I have been searching around for a while and I've found several other stackoverflow questions that are very similar to this one, but either don't quite answer the question, or use other non-devise modules. (Or both)
To implement the authorization, use a method on the controller
Exactly as suggested by #diego.greyrobot
class UsersController < ApplicationController
before_filter :authorize_admin, only: :create
def create
# admins only
end
private
# This should probably be abstracted to ApplicationController
# as shown by diego.greyrobot
def authorize_admin
return unless !current_user.admin?
redirect_to root_path, alert: 'Admins only!'
end
end
To sidestep the Devise 'already logged in' problem, define a new route for creating users.
We will simply define a new route to handle the creation of users and then point the form to that location. This way, the form submission does not pass through the devise controller so you can feel free to use it anywhere you want in the normal Rails way.
# routes.rb
Rails.application.routes.draw do
devise_for :users
resources :users, except: :create
# Name it however you want
post 'create_user' => 'users#create', as: :create_user
end
# users/new.html.erb
# notice the url argument
<%= form_for User.new, url: create_user_path do |f| %>
# The form content
<% end %>
This seems like the simplist approach. It just requires sub-classing the devise controller. See the docs for how to do that.
# app/controllers/registrations_controller.rb
class RegistrationsController < Devise::RegistrationsController
before_action :authenticate_user!, :redirect_unless_admin, only: [:new, :create]
skip_before_action :require_no_authentication
private
def redirect_unless_admin
unless current_user.try(:admin?)
flash[:error] = "Only admins can do that"
redirect_to root_path
end
end
def sign_up(resource_name, resource)
true
end
end
# config/routes.rb
Rails.application.routes.draw do
devise_for :users, :controllers => { :registrations => 'registrations'}
end
Explaination:
Subclass the registration controller and create the route for it.
The before_action ensures that a user is logged in, and redirects them unless they are admin, if they try to sign up.
The already logged in issue is caused by Devise's require_no_authentication method and skipping it resolves the issue.
Next is that the newly created user is automatically signed in. The sign_up helper method which does this is overridden to do prevent automatic signup.
Finally, the Welcome! You have signed up successfully. sign up flash message can be changed via editing the config/locales/devise.en.yml file, if desired.
The problem is conceptual. Devise is only an Authentication library not an Authorization library. You have to implement this separately or use CanCan. Fret not however, it is easy in your case to implement this since you only have one role.
Guard your user create/update/destroy action with a before filter:
class UsersController < ApplicationController
before_filter :authorize_admin, except [:index, :show]
def create
# user create code (can't get here if not admin)
end
end
class ApplicationController < ActionController::Base
def authorize_admin
redirect_to root_path, alert: 'Access Denied' unless current_user.admin?
end
end
With this simple approach you run a before filter on any controller action that can affect a user record by first checking if the user is an admin and kicking them out to the home page if they're not.
I had this issue when working on a Rails 6 application.
I had an admin model which I Devise used to create admins.
Here's how I fixed it:
First I generated a Devise controller for the Admin model, which created the following files:
app/controllers/admins/confirmations_controller.rb
app/controllers/admins/omniauth_callbacks_controller.rb
app/controllers/admins/passwords_controller.rb
app/controllers/admins/registrations_controller.rb
app/controllers/admins/sessions_controller.rb
app/controllers/admins/unlocks_controller.rb
Next, I modified the new and create actions of the app/controllers/admins/registrations_controller.rb this way to restrict signup to admin using Devise:
class Admins::RegistrationsController < Devise::RegistrationsController
before_action :configure_sign_up_params, only: [:create]
before_action :configure_account_update_params, only: [:update]
# GET /resource/sign_up
def new
if admin_signed_in?
super
else
redirect_to root_path
end
end
# POST /resource
def create
if admin_signed_in?
super
else
redirect_to root_path
end
end
.
.
.
end
Afterwhich, I added the skip_before_action :require_no_authentication, only: [:new, :create] action to the app/controllers/admins/registrations_controller.rb this way to allow an already existing admin to create a new admin while being logged in:
class Admins::RegistrationsController < Devise::RegistrationsController
before_action :configure_sign_up_params, only: [:create]
before_action :configure_account_update_params, only: [:update]
skip_before_action :require_no_authentication, only: [:new, :create]
.
.
.
end
You may need to also hide the Register and Forgot password buttons in the login form, to only been by logged in admins:
# app/views/admins/sessions/new.html.erb
<% if admin_signed_in? %>
<%= render "admins/shared/links" %>
<% end %>
Optionally, I added first_name and last_name parameters to the allowed parameters in the app/controllers/admins/registrations_controller.rb file, after already adding it to the admin model through a database migration:
class Admins::RegistrationsController < Devise::RegistrationsController
before_action :configure_sign_up_params, only: [:create]
before_action :configure_account_update_params, only: [:update]
skip_before_action :require_no_authentication, only: [:new, :create]
.
.
.
# If you have extra params to permit, append them to the sanitizer.
def configure_sign_up_params
devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name,
:last_name])
end
# If you have extra params to permit, append them to the sanitizer.
def configure_account_update_params
devise_parameter_sanitizer.permit(:account_update, keys: [:first_name,
:last_name])
end
.
.
.
end
Note: You will need to modify your app/views/admin/registrations views accordingly as well to cater for this
Additionally, you may need to create a new controller where you can create the index action for admins, say, app/controllers/admins/admins_controller.rb:
class Admins::AdminsController < ApplicationController
before_action :set_admin, only: [:show, :edit, :update, :destroy]
before_action :authenticate_admin!
# GET /admins
# GET /admins.json
def index
#admins = Admin.all
end
.
.
.
end
Note: If you need more control like managing admins by updating and deleting information of other admins from your dashboard, you may need to add other action like show, edit, update, destroy, and others to this file.
And for the routes:
## config/routes.rb
# List of Admins
get 'admins', to: 'admins/admins#index'
namespace :admins do
resources :admins
end
And then modify the path used after sign up in the app/controllers/admins/registrations_controller.rb to redirect to the admins_path, this will show you a list of all the admins that have been created:
class Admins::RegistrationsController < Devise::RegistrationsController
before_action :configure_sign_up_params, only: [:create]
before_action :configure_account_update_params, only: [:update]
skip_before_action :require_no_authentication, only: [:new, :create]
.
.
.
# The path used after sign up.
def after_sign_up_path_for(resource)
admins_path
end
# The path used after sign up for inactive accounts.
def after_inactive_sign_up_path_for(resource)
admins_path
end
end
Finally, you may need to change the notice that Devise gives when you create a user in the config/locales/devise.en.yml file, from:
Welcome, You have signed up successfully
to, say:
Account was created successfully.
That's all.
I hope this helps.
I am implementing a User modeling for my app. That only current user can update and destroy his account I put in the user controller:
before_action :correct_user, only: [:edit, :update, :destroy]
But now I also want that the admin can do those actions (well he can actually do everything)
I proposed to create another function in the helper admin_user to allow him the access to all actions then call it in the user controller like:
before_action :admin_user
but it seems like he is ignoring it. Any mathematic function to solve this issue?
Thanks!
You could just define that correct_user always returns immediately if the current_user is an admin:
def correct_user
return if current_user.admin?
# put existing logic here
end
Following the guide here, I added a boolean attribute to my database using a migration:
rails generate migration add_admin_to_user admin:boolean
I've configured my account to be an admin (admin = 1) via Rails console. I have a controller that I want to restrict access to certain actions (new, edit, create, and destroy) for administrators only.
I'll also have normal users, I just want to restrict access to these actions for admins only in this controller. Currently, I'm using the code:
before_filter :authenticate_user!, :only => [:new, :edit, :create, :destroy]
Which restricts access to registered users -- how do I take this a step further and require admins?
you can easily implement your own before_filter to allow access to only admin users by using the .admin? method associated with your user model. for instance:
before_filter :verify_is_admin
private
def verify_is_admin
(current_user.nil?) ? redirect_to(root_path) : (redirect_to(root_path) unless current_user.admin?)
end
You will want to define your own method in the before filter and then detect whether the user is an admin or not in that method prior to calling :authenticate_user!
before_filter :custom_method, :only => [:new, :edit, :create, :destroy]
private
def custom_method
authenticate_user!
if current_user.admin
return
else
redirect_to root_url # or whatever
end
end
You will want to do the authenticate_user! step prior to checking the current_user variable.
ian.