I've installed CanCan and added line gem 'cancan' to Gemfile. Ran bundle.
I created app/models/ability.rb with code:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.admin?
can :manage, :all
end
end
end
ActiveAdmin and Devise are installed and plugged.
I added if cannot? to app/admin/codes.rb:
ActiveAdmin.register Code do
if cannot? :manage, Code
flash[:notice] = "Access denied"
redirect_to '/'
end
index do
column :id
column :title
column :author
column :created_at
column :updated_at
column :language
default_actions
end
end
rails cannot start server or open rails console:
app/admin/codes.rb:2:in `block in <top (required)>': undefined method `cannot?'
for #<ActiveAdmin::ResourceDSL:0x4ae7fe8> (NoMethodError)
How can I fix it?
The cancan methods are added to all controllers and models and not anything else, so you will need to manually include the cancan methods in your ActiveAdmin class. Consider following the pattern here:
https://github.com/ryanb/cancan/blob/master/lib/cancan/controller_additions.rb
with something like include CanCan::ControllerAdditions
I did it.
I have appended code that executes into controller context:
controller do
before_filter :check_admin
def check_admin
if cannot? :manage, Code
flash[:alert] = "Access denied!"
redirect_to '/admin'
end
end
end
Related
Everytime i try to connect to my backoffice with an admin, I get this You are not authorized to access this page. even tho everything is setup to be supposed to accept admins. I've checked and all my employees are admins so it shouldn't be doing this!
I've tried to restrain basic users rights, I've tried accessing the page with every account but I always get this error, even tho all the employees are admins!
ability.rb
class Ability
include CanCan::Ability
def initialize(employee)
employee ||= Employee.new # guest employee (not logged in)
if employee.admin?
can :access, :rails_admin # only allow admin employees to access Rails Admin
can :read, :dashboard
can :manage, :all
authorize!(:dashboard, #employee)
end
end
end
employees_controller.rb
class EmployeesController < ApplicationController
def employee_params
params.require(:employee).permit(:email, :encrypted_password, :password_confirmation, :role)
end
end
accessible.rb
module Accessible
extend ActiveSupport::Concern
included do
before_action :check_employee
end
protected
def check_employee
if current_employee.admin
flash.clear
redirect_to(rails_admin.dashboard_path) && return
elsif current_employee
flash.clear
redirect_to(new_employee_session_path) && return
end
end
end
rails_admin.rb
RailsAdmin.config do |config|
config.parent_controller = "::ApplicationController"
config.authorize_with do |controller|
if current_employee.admin?
redirect_to main_app.new_account_session_path, flash: {error: 'Please Login to Continue..'}
elsif !current_employee.admin?
redirect_to main_app.root_path, flash: {error: 'You are not Admin'}
end
end
## == CancanCan ==
config.authorize_with :cancancan
config.actions do
dashboard # mandatory
index # mandatory
new
export
bulk_delete
show
edit
delete
show_in_app
end
end
routes.rb
Rails.application.routes.draw do
devise_for :users, path: 'users'
devise_for :employees, path: 'employee'
namespace :user do
resources :users
end
namespace :employee do
resources :employees
end
mount RailsAdmin::Engine => '/admin', as: 'rails_admin'
root 'index#Index'
get '/Index', to: 'index#Index'
get '/ResidentialServices', to: 'pages#ResidentialServices'
get '/CorporateServices', to: 'pages#CorporateServices'
get '/Quotes', to: 'pages#Quotes'
get '/Awards', to: 'pages#Awards'
end
add admin to employees migration
class AddAdminToEmployees < ActiveRecord::Migration[5.2]
def change
add_column :employees, :admin, :boolean, default: false
end
end
employee (you can see that I've set my admin to true :
Employee.create!(lastName: 'xxx', firstName: 'xxx', title: 'Comm Rep', email: 'xxx#xx.xx', encrypted_password: BCrypt::Password.create('123456'), admin: 'true')
i expect admins to be able to access the backoffice
Shouldn't you pass variable instead of instance variable in ability.rb?
authorize!(:dashboard, employee)
instead of
authorize!(:dashboard, #employee)
cancancan expects a current_user not a current_employee
cancancan expects a current_user helper method, not a current_employee helper method - I'm guessing this is the helper method that you presently have, if you are using the devise gem.
You can check whether the employee you are passing into the ability method has been initialised using a debugger like byebug - my guess it that it has not been initialised at all. In short, you need to tell cancancan that you are using current_employee and not current_user
Here is a quick hack that should do that for you:
class ApplicationController < ActionController::Base
alias_method :current_user, :current_employee
end
So i am using Cancancan gem in my application.I have Users authenticated with the Devise/Omniauth gems and Admins that they are authenticated with a simple custom authentication.
I want to achieve
ability.rb
def initialize(userOrAdmin)
if userOrAdmin.user?
can :read, User
return unless user.present?
can :manage, User, id: user.id
elsif userOrAdmin.admin?
can [:update, :read] , Admin, id: admin.id
end
end
end
but that doesnt work.
I tried to override the ability method like that
application_controller
def current_ability
if current_admin?
#current_ability ||= Ability.new(current_admin)
elsif current_user?
#current_ability ||= Ability.new(current_user)
end
end
but i am getting a nomethod current_admin error probably because Cancancan assumes a current_admin from device but cant find it although i am using an current_admin method of my own.
I also tried to assign roles with the enum in both User.rb and Admin.rb and change ability.rb properly but i got an undefined method admin? for User error
Cancancan verion 2.0
After some searching, I found some helpful articles:
CanCanCan: Defining Abilities - Best Practicies
CanCanCan: CCC That Scales
CanCanCan: Refactoring Abilities
Rails: Routing From The Outside In
I suggest you try the following:
# Ability.rb
class Ability
include CanCan::Ability
def initialize(user)
# Everyone:
can :read, User
# Users:
return unless user.present?
can :manage, User, user_id: user.id
# Admins:
return unless user.admin?
can :manage, :all
end
end
# Routes.rb
devise_for :users # current_user:
devise_for :admins # current_admin:
# Application_Controller.rb
def current_ability
#current_ability ||= current_admin ? AdminAbility.new(current_admin) : UserAbility.new(current_user)
end
I found a solution that works
application_controller.rb
def current_ability
if current_user
return if current_admin.present?
#current_ability ||= Ability.new(current_user)
elsif current_admin
return unless current_admin.present?
#current_ability ||= Ability.new(current_admin)
end
end
end
ability.rb
class Ability
include CanCan::Ability
def initialize(userOrAdmin)
if userOrAdmin.is_a? User
can :read, User
can [:update, :read], User, id: userOrAdmin.id
elsif userOrAdmin.is_a? Admin
can :read, Admin
can [:update, :read], Admin, id: userOrAdmin.id
end
end
end
Althought this works without errors . Whenever i am signed in both like a user and admin the admin role appears CanCan not authorized error .
This is what my ability.rb looks like:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.has_role? :admin
can :manage, :all
end
can :manage, Connection, inviter_user_id: user.id
end
end
In my controller I have this:
class ConnectionsController < ApplicationController
load_and_authorize_resource
skip_authorize_resource only: :index
layout 'connections'
def index
#family_tree = current_user.family_tree
#inviter_connections = current_user.inviter_connections.order("updated_at desc")
#invited_connections = current_user.invited_connections.order("updated_at desc")
end
end
In my application_controller.rb, I have this:
rescue_from CanCan::AccessDenied do |exception|
redirect_to authenticated_root_url, :alert => exception.message
end
Yet, when I try to visit /connections when I am not logged in, I get this error:
NoMethodError at /connections
undefined method `family_tree' for nil:NilClass
Also, when I remove the can :manage, Connection from my ability.rb it actually sends me to my login page like I expect.
How do I get both to work?
It looks like you are using Devise for authentication. For this kind of validation when using devise you should add this to your controller:
before_action :authenticate_user!
Try the following:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.has_role? :admin
can :manage, :all
else
can :manage, Connection, inviter_user_id: user.id
end
end
end
Also, noticed that you are skip_authorize_resource only: :index, try commenting out that and see if it works.
On line 8 of your controller, current_user is nil when you're not logged in, and it's calling family_tree on it.
You need something like (just as an example, it depends on your needs):
#family_tree = current_user.try(:family_tree) || FamilyTree.new
The reason it "works" when you remove the line in Ability is because that removes the ability to see the connection, so the before_filter redirects before you ever get inside index. What's probably tripping you up is the Connection record has a inviter_user_id of nil, and User#id is nil, so it's giving you permission to get into index.
It could also happen if you forgot to put this at the top of the controller:
load_and_authorize_resource
See docs for more.
After installing and setting up devise for user login I went ahead and added the rails_admin gem. Now if I go too localhost:3000/admin I can access the admin dashboard but How do I add admin authentication so you would need to enter admin credentials to access the admin dashboard?
I would recommend you to use an authorization gem called cancancan (is the updated version of cancan) it's super easy to use and it will let you to give certain permissions to different kind of users. If you don't know nothing about this gem i will recommend you to see this railscasts that will teach you how to use it properly.
So after you installed the cancancan gem in the ability.rb file you just need to do something like this to limit the admin access
models/ability.rb
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user && user.admin?
can :access, :rails_admin # only allow admin users to access Rails Admin
can :dashboard
can :manage, :all
else
can :read, :all # allow everyone to read everything
end
end
end
And don't forget to tell to the rails_admin gem that you are using cancancan to validate the authorization
config/initializers/rails_admin.rb
RailsAdmin.config do |config|
## == Cancan ==
config.authorize_with :cancan
end
To user the "user.admin?" method you must create it into the user model, but it will only work if you have a role model that has_many users and users belongs_to role otherwise you will need other way to verify the role, so it will be something like this
models/role.rb
has_many :users
models/user.rb
belongs_to :role
def admin?
role_id == 0 # If you have id == 0 for admin
end
Also i will recommend you to use a role model or enum to manage the different roles with ease.
I hope it helps :D
In your routes.rb
authenticate :admin do
mount RailsAdmin::Engine => 'rails_admin', as: :rails_admin
end
Provide your user with an admin role such that you can test, e.g. user.admin?.
Configure rails_admin to inherit from your application controller and to catch any access other than a signed in admin user.
#config/initializers/rails_admin.rb
RailsAdmin.config do |config|
...
config.parent_controller = 'ApplicationController'
config.authenticate_with do
# current_user = User.find_by_id(session[:user_id])
raise InvalidAdminAccess, 'Access denied.' unless current_user.try(:admin?)
end
end
Define the InvalidAdminAccess error class in
# app/errors/invalid_admin_access.rb
class InvalidAdminAccess < StandardError
end
Catch the error in your application controller
# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
...
rescue_from InvalidAdminAccess do |exception|
respond_to do |format|
format.json { head :forbidden, content_type: 'text/html' }
format.html { redirect_to main_app.root_url, alert: exception.message }
format.js { head :forbidden, content_type: 'text/html' }
end
end
end
In this way, when there is incorrect access, rails_admin triggers an exception that is caught and handled by the application controller.
I am not beeing able to make this work.
I have a project with activeadmin 0.4.4 and devise working, and I need to include role-based permissions to it, so I thought on CanCan. The roles could be 'administrator' or 'publisher', administrator can manage all and publisher only a post section.
I followed https://github.com/gregbell/active_admin/wiki/How-to-work-with-cancan-with-activeadmin, the AdminUser crud it is working fine, and the config.authentication_method = :authenticate_admin_user! was alredy uncomment.
In my ApplicationController I added the following:
# https://github.com/ryanb/cancan/wiki/exception-handling
rescue_from CanCan::AccessDenied do |exception|
respond_to do |format|
format.html do
redirect_to admin_root_path, :alert => exception.message
end
end
end
# https://github.com/ryanb/cancan/wiki/changing-defaults
def current_ability
#current_ability ||= Ability.new(current_admin_user)
end
And here is my Ability class:
class Ability
include CanCan::Ability
def initialize(user)
user ||= AdminUser.new
if user.role?('administrator')
can :manage, :all
else
can :read, :all
end
end
end
The Ability initialize method is not executing. I tried abort, -as the comments suggest- puts or p, and even sintax error and I have nothing. What am I mising?
I'm stuck here, I also tried http://www.activeadmin.info/docs/13-authorization-adapter.html#using_the_cancan_adapter but it is rising undefined method "authorization adapter", I am not sure if this is working with my activeadmin version. And adding a require active_admin/cancan_adapter rise a LoadError.
Thanks.
Finally I did the trick thanks to http://makandracards.com/jan0sch/13877-rails-activeadmin-and-cancan
Basically I need to add a controller block in the activeadmin register page for loading it:
ActiveAdmin.register Whatever do
#...
controller do
load_and_authorize_resource :except => :index
def scoped_collection
end_of_association_chain.accessible_by(current_ability)
end
end
#...
end