How can I achieve the following behavior in Ruby on Rails?
I need to make the whole site accessible by the single admin only, so I need to show the authorization page on every not signed in user's action.
What is the best way to do it? Maybe cancancan or smth like this? Can you give me an example, please?
I'm using Ruby on Rails 4.1.4 btw.
Thanks in advance.
You could use Devise to set it up. Since you want a single user system you donĀ“t need cancancan which authorises resources.
Basically you lock down the app by adding a before filter which requires the use to be authenticated:
before_action :authenticate_user!
There is a guide on how to set up the registration to only accept one user on the Devise wiki. https://github.com/plataformatec/devise/wiki/How-To:-Set-up-devise-as-a-single-user-system
I am big fan of ActiveAdmin. You can manage whole site's content and users through Active Admin even it's provide search, filter & sorting facility. as you described that whole site accessible by the single admin only, not signed in user's action
For your reference:
Live Demo
Active Admin Site
Documentation
RailsCast
If you wanted to authorized user for signed in then as papirtiger answered you can simply use that before_action :authenticate_user! method
Update:
As you mentioned that all users can access the page then in this case I would like to suggest to use cancancan for Rails 4. You can simply assign the roles and as per the roles you can give access to use actions. Provide Role Management System
OR
In your Users table append one column of roles as boolean type and assign admin user to false and by default all users to true. This is the easiest way to achieve your goal.
In your controller set If user's role false then he can access everything..
For E.g. Add an Admin Role
If you have only one user that can access your site then you can use devise gem also. Just create simple user using devise. and use before_filter :authenticate_user! on your applications_controller.rb . So each request will checked before reaching to controller.
Related
I'm working on a project that involves two Devise models (User and Admin). What I'd like to do is allow for Admin members to be able to view and manage Users in a RESTful way (i.e: index, show, create, update, destroy).
Would the best way be to create a users_controller and treat it like an average RESTful model (modifying each controller action to work with Devise where applicable)?
Any suggestions would be much appreciated.
Thanks.
CLARIFICATION UPDATE
It seems I wasn't clear about the question above. Answers below are about the authorisation of actions affecting the User model. This isn't what I'm asking about. I'm asking about the best way to facilitate the transaction itself, not the authorisation and restriction of the transaction. What would be the best way to have Admin members creating Users and updating User records without using the standard Devise self-signup. My intention is to disable self-signup so as to only allow new User registration by an Admin member creating the User account. Hopefully, this is more clear. Thanks.
I advise you take a look at the following gems Rolify and CanCan, there were integrated with devise here.
Here's a link
How do you allow a user only being able to access a controller action only if he had accessed another controller.
For example, i have a set of Products which will go to NumberController ('new' action) - i prevent the anonymous to go to the new action in the NumberController, directly and only allow the anonymous user coming form the Products page which the anonymous user had selected before that.
One solution that i had read is that you can use session cookies to disallow the user to access the new action in the NumberController and the other is using scoped query for example:
Product.find(params[:id]).Number.find(params[:product_id])
or something similar and use nested resources. Any ideas?
This answer posted on this question:
Authorizing non-logged-in user behavior in rails with cancan and devise
illustrates how you can handle anonymous (not logged in) users with CanCan authorization. It's fairly straightforward.
Also, importantly, CanCan is currently fairly out of date. CanCanCan (https://github.com/CanCanCommunity/cancancan) is a fairly drop-in replacement for CanCan that's being actively maintained, works with Rails 4, etc. It will handle your anonymous user issue just fine.
Have you try cancan and rolify.
you could use them to set a role for a user so will be able to verify if this user have a role (admin) to access this action...
I am working on a new rails 3 application. In this application I have 2 different types of resources(admin and garage) both with different views and with 2 different login screens using devise. The admin can create a garage and can generate a password for the garage using which the garage manager can login to the application. Till now I am able to implement this.
One problem that I am facing in the above implementation is that the garage manager, once logged in, is able to view the admin section by changing the url in the browser and can make changes like an admin user.
Now what I am trying to implement is to have a single log in/sign in form for both the models and when someone logs in, depending on their model type they should be redirected to their respective views. Also, I would like to restrict all the users but admin from using the admin section.
What should be my approach to implement this. I am using devise for authentication.
resource is an instance of one of your models here:
def after_sign_in_path_for(resource)
return admin_route_path if resource.is_a?(Admin)
return garage_route_path if resource.is_a?(Garage)
end
resource is a symbol of the model name here:
def after_sign_out_path_for(resource)
return "/admin" if resource == :admin
return "/" if resource == :garage
end
Normally goes in application_controller.rb
One problem that I am facing in the above implementation is that the garage manager, once logged in, is able to view the admin section by changing the url in the browser and can make changes like an admin user.
As for this, it's an authorization problem and not an authentication problem. Though you can do some simple stuff within devise to manage this, like an admin flag or something of that nature so you can differentiate the two. Just redirecting won't solve this issue entirely.
Take a look at cancan, declarative authorization and I'm sure there are many others.
I'm building a service on Rails using Devise which requires an 'admin' user to add regular users to their organization account.
The default behaviour of Devise doesn't support this, as the ':require_no_authentication' method is called when a logged in admin user tries to create a regular user account.
What would be the recommended method of achieving the functionality I am looking for?
:require_no_authentication is called by prepend_before_filter in the
Devise::RegistrationsController class, rather that in one of the
RegistrationsController methods, so I do not know if this can be
overridden (correct me if I'm wrong).
I believe separating the admin users from the regular users would
work, however these users will share very similar properties, so I
believe doing this will add unnecessary repetition.
I am currently trying to create new admin users (who in turn create
the organization that regular users belong to) using the regular
Devise sign up flow with 'users#new' and 'users#create' controller
actions, and allowing admins to add new users through a 'users#add'
action.
If there is perhaps another good user authentication gem that would better suit my needs, I would be happy to take a look at switching to that.
This seems to be more of an authorization problem than an authentication problem. You can use an authorization gem, such as cancan, to assign roles to users (such as admin) and grant abilities to those roles. This works really well alongside Devise. Here's a tutorial:
http://www.tonyamoyal.com/2010/07/28/rails-authentication-with-devise-and-cancan-customizing-devise-controllers/
EDIT: I think I may have misunderstood your problem. Maybe what you need is just another controller to handle the creating of users outside of the Devise controllers. You could use cancan to restrict access to this controller to only admins.
I'm wondering if it's possible to selectively require confirmation for certain controller actions using Devise.
Basically: I want users to sign up for an account (which will trigger a confirmation email), be automatically logged in, and be able to immediately explore certain parts of the site as a signed in (but still unconfirmed) user. Access to certain areas (e.g., payment) would require the user to first confirm their email.
I'm hoping for something like before_filter: user_is_confirmed, only: [payment_related_stuff]
I searched for a while and could not find a way to do this out of the box, so I thought creating a hacky solution in which all possibly protected areas would still require before_filter: authenticate!, but I would override the Devise SessionsController's create to permissibly allow access to certain areas before confirmation. However, I'm not sure if this is the right way to go.
Using built in solution in devise, you could use allow_unconfirmed_access_for 1.year in combination with current_user.confirmed? in your before filter