I have one Devise model: User. I am needing two different login views, /login and /admin/login. Also, there would need to be two logout actions that redirect to different places (/logout and /admin/logout). Is this possible? Any pointers?
Thanks!
you can add all the views and controllers of devise to your project. rails generate devise:views This adds a devise folder inside your app/views. Inside the session/new view you can modify the loginform based on the route used. The same can be done for the destroying of sessions by overriding the controllers.
However, there might be something wrong in your logic if you need multiple routes to login and logout. If you simply need to elevate people to admin level or allow access to a admin like rails_admin there are plenty alternatives. You could for example have a look at CanCan and implement RBAC into your application.
Related
Question: when using cancancan for authorization and devise for authentication, do I have to define any authorizations for the devise part of the app, or does devise take care of everything itself?
Example
For example, for (all) other resources, we should place load_and_authorize_resource in the controller of that resource so that users who should not access it are prevented from doing so. Then, to allow access to those should have access, we can define abilities by adding code like this to ability.rb:
# ability.rb
can [:index, :show], [Patient], user_id: user.id
Back to my question - do I have to add load_and_authorize_resource to any of devise's controllers and define permissions for devise controllers in ability.rb? OR does devise take care of all that without the developer having to do anything?
We obviously don't want to allow one user to change another user's account info!
It's important to distinguish between devise authorization part of account info (session creation/logout/email+password+restoration/changing if you have that enabled) and any other custom logic and data related to it (for example - names, shoe sizes, whatever) that is kept inside or accesses the same model.
Devise controllers, if you did not change them much - are very simple and do not need additional access control because by design user is only able to edit their own auth data (they simply do not handle user id from outside thus there's no way to tamper it). Moreover just adding load_and_authorize_resource will at least have no effect or more probably will interfere with existing devise code because it was not designed around cancancan.
But if you have your own controllers for user profile(s), like user index, admin editing other's profiles etc - obviously, you have to facilitate access control there.
I'm working on a project that has a User Devise model and an Admin Devise model, and I want an Admin to be able to perform CRUD on the User model.
I've set up both Devise models following the Devise Wiki's How to Setup Multiple Devise User Models guide (including step 4 - exposing the scoped controllers).
This has given me the Devise views and controllers for confirmations, passwords, registrations, sessions and unlocks, but no users_controller to add CRUD actions to.
Could I simply create a users_controller and make sure it uses the correct users table in the database, or should I add CRUD actions to the registrations_controller?
Is the above advisable, or is there a more elegant way of setting up a CRUD interface for an Admin to be able to manage the User model?
Any help would be much appreciated.
Devise works only with sign_up/sign_in process. It assumes not only simple user creation, but some more things, like email sending.
So if you want to create/update/destroy users you need to create separate UsersController. It is better to add an admin namespace to it
I'm building a service on Rails using Devise which requires an 'admin' user to add regular users to their organization account.
The default behaviour of Devise doesn't support this, as the ':require_no_authentication' method is called when a logged in admin user tries to create a regular user account.
What would be the recommended method of achieving the functionality I am looking for?
:require_no_authentication is called by prepend_before_filter in the
Devise::RegistrationsController class, rather that in one of the
RegistrationsController methods, so I do not know if this can be
overridden (correct me if I'm wrong).
I believe separating the admin users from the regular users would
work, however these users will share very similar properties, so I
believe doing this will add unnecessary repetition.
I am currently trying to create new admin users (who in turn create
the organization that regular users belong to) using the regular
Devise sign up flow with 'users#new' and 'users#create' controller
actions, and allowing admins to add new users through a 'users#add'
action.
If there is perhaps another good user authentication gem that would better suit my needs, I would be happy to take a look at switching to that.
This seems to be more of an authorization problem than an authentication problem. You can use an authorization gem, such as cancan, to assign roles to users (such as admin) and grant abilities to those roles. This works really well alongside Devise. Here's a tutorial:
http://www.tonyamoyal.com/2010/07/28/rails-authentication-with-devise-and-cancan-customizing-devise-controllers/
EDIT: I think I may have misunderstood your problem. Maybe what you need is just another controller to handle the creating of users outside of the Devise controllers. You could use cancan to restrict access to this controller to only admins.
I would like to disable user registration for devise and move the creation of new users to an admin method under an admin namespace.
How could this be accomplished? I have searched and think I have to overrule the devise controllers disabling the custom user registration.
But how to make a new user based on a form under an admin namespace? Anyone done such a thing before and could share some pointers on how to get it done? thank you
Check out the devise Wiki, quite a common question (think this is what you are looking for)
https://github.com/plataformatec/devise/wiki/How-To%3a-Require-admin-to-activate-account-before-sign_in
I've searched topics but this exact question doesn't come up. Is it possible to separate the Devise user form to make it 2 separate forms?
change email
change password?
You only have to create a simple CRUD, as in any other case. it is also posible to generate the view that devise uses and/or override the controllers.
https://github.com/plataformatec/devise/wiki/How-To:-Manage-users-through-a-CRUD-interface
Managing your users is not really devise related, devise only really handles authentication.