Hello everyone,
I want to add authorization to my Rails app. As I am using devise for
authentication, so I add an admin field to User model.
class User
...
field :admin, :type => Boolean, :default => false
...
end
In the controller, I add a method like this:
class ApplicationController < ActionController::Base
...
private
def authenticate_admin
if current_user
return current_user.admin?
end
end
end
In the admin namespace controller:
class Admin::HomeController < ApplicationController
before_filter :authenticate_admin
...
end
But it didn''t work here, I mean, I can still access backend with a
user account even if the admin field of the account is false.
Can somebody tell me why?
Thanks!
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
On May 25, 3:32 pm, Tomato <ustc.flying...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> private > def authenticate_admin > if current_user > return current_user.admin? > end > end > end > > In the admin namespace controller: > > class Admin::HomeController < ApplicationController > before_filter :authenticate_admin > ... > end > > But it didn''t work here, I mean, I can still access backend with a > user account even if the admin field of the account is false. > Can somebody tell me why?Not familiar with devise, but your before filter isn''t actually doing anything. If the user isn''t an admin then you probably want to redirect them to a login page or show an ''access denied'' template Fred> > Thanks!-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Thank you very much! It works! On May 25, 11:07 am, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On May 25, 3:32 pm, Tomato <ustc.flying...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > > > > > > > private > > def authenticate_admin > > if current_user > > return current_user.admin? > > end > > end > > end > > > In the admin namespace controller: > > > class Admin::HomeController < ApplicationController > > before_filter :authenticate_admin > > ... > > end > > > But it didn''t work here, I mean, I can still access backend with a > > user account even if the admin field of the account is false. > > Can somebody tell me why? > > Not familiar with devise, but your before filter isn''t actually doing > anything. If the user isn''t an admin then you probably want to > redirect them to a login page or show an ''access denied'' template > > Fred > > > > > > > > > > > Thanks!-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
You may also use a specific Admin model and authentication scheme with
Devise, I found it easier to manage specific admin tasks not related
to web site pages for users
devise_for :users, :controllers => { :sessions => "users/
sessions", :passwords => "users/passwords", :registrations
=> "users/
registrations", :confirmations => "users/confirmations",
:unlocks =>
"users/unlocks" } do
......t
end
devise_for :admins, :controllers => { :sessions => "admins/
sessions", :passwords => "admins/passwords", :registrations
=> "admins/
registrations" }
and you need in your controllers :
before_filter :authenticate_admin!
I have both and I use Cancan ( abilities based on roles in each
area)
On 25 mai, 17:16, Tomato
<ustc.flying...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:> Thank you very much! It works!
>
> On May 25, 11:07 am, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> wrote:
>
>
>
> > On May 25, 3:32 pm, Tomato
<ustc.flying...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > > private
> > > def authenticate_admin
> > > if current_user
> > > return current_user.admin?
> > > end
> > > end
> > > end
>
> > > In the admin namespace controller:
>
> > > class Admin::HomeController < ApplicationController
> > > before_filter :authenticate_admin
> > > ...
> > > end
>
> > > But it didn''t work here, I mean, I can still access
backend with a
> > > user account even if the admin field of the account is false.
> > > Can somebody tell me why?
>
> > Not familiar with devise, but your before filter isn''t
actually doing
> > anything. If the user isn''t an admin then you probably want
to
> > redirect them to a login page or show an ''access
denied'' template
>
> > Fred
>
> > > Thanks!
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
I have considered both ways you mentioned, but it seems not necessary to use such methods as it is just a little app. Maybe I will use cancan in the future when necessary. Thank you anyway! On May 25, 12:49 pm, Erwin <yves_duf...-ee4meeAH724@public.gmane.org> wrote:> You may also use a specific Admin model and authentication scheme with > Devise, I found it easier to manage specific admin tasks not related > to web site pages for users > > devise_for :users, :controllers => { :sessions => "users/ > sessions", :passwords => "users/passwords", :registrations => "users/ > registrations", :confirmations => "users/confirmations", :unlocks => > "users/unlocks" } do > ......t > end > devise_for :admins, :controllers => { :sessions => "admins/ > sessions", :passwords => "admins/passwords", :registrations => "admins/ > registrations" } > > and you need in your controllers : > > before_filter :authenticate_admin! > > I have both and I use Cancan ( abilities based on roles in each > area) > > On 25 mai, 17:16, Tomato <ustc.flying...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > > > > > Thank you very much! It works! > > > On May 25, 11:07 am, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > wrote: > > > > On May 25, 3:32 pm, Tomato <ustc.flying...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > private > > > > def authenticate_admin > > > > if current_user > > > > return current_user.admin? > > > > end > > > > end > > > > end > > > > > In the admin namespace controller: > > > > > class Admin::HomeController < ApplicationController > > > > before_filter :authenticate_admin > > > > ... > > > > end > > > > > But it didn''t work here, I mean, I can still access backend with a > > > > user account even if the admin field of the account is false. > > > > Can somebody tell me why? > > > > Not familiar with devise, but your before filter isn''t actually doing > > > anything. If the user isn''t an admin then you probably want to > > > redirect them to a login page or show an ''access denied'' template > > > > Fred > > > > > Thanks!-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.