Authorization problem

Tomato · May 25, 2011, 2:32pm

Hello everyone,

I want to add authorization to my Rails app. As I am using devise for authentication, so I add an admin field to User model.

class User ... field :admin, :type => Boolean, :default => false ... end

In the controller, I add a method like this:

class ApplicationController < ActionController::Base ... private def authenticate_admin if current_user return current_user.admin? end end end

In the admin namespace controller:

class Admin::HomeController < ApplicationController before_filter :authenticate_admin ... end

But it didn't work here, I mean, I can still access backend with a user account even if the admin field of the account is false. Can somebody tell me why?

Thanks!

Frederick_Cheung · May 25, 2011, 3:07pm

private def authenticate_admin if current_user return current_user.admin? end end end

In the admin namespace controller:

class Admin::HomeController < ApplicationController before_filter :authenticate_admin ... end

But it didn't work here, I mean, I can still access backend with a user account even if the admin field of the account is false. Can somebody tell me why?

Not familiar with devise, but your before filter isn't actually doing anything. If the user isn't an admin then you probably want to redirect them to a login page or show an 'access denied' template

Fred

Tomato · May 25, 2011, 3:16pm

Thank you very much! It works!

Erwin1 · May 25, 2011, 4:49pm

You may also use a specific Admin model and authentication scheme with Devise, I found it easier to manage specific admin tasks not related to web site pages for users

devise_for :users, :controllers => { :sessions => "users/ sessions", :passwords => "users/passwords", :registrations => "users/ registrations", :confirmations => "users/confirmations", :unlocks => "users/unlocks" } do ......t end devise_for :admins, :controllers => { :sessions => "admins/ sessions", :passwords => "admins/passwords", :registrations => "admins/ registrations" }

and you need in your controllers :

before_filter :authenticate_admin!

I have both and I use Cancan ( abilities based on roles in each area)

Tomato · May 25, 2011, 4:55pm

I have considered both ways you mentioned, but it seems not necessary to use such methods as it is just a little app.

Maybe I will use cancan in the future when necessary.

Thank you anyway!

Topic		Replies	Views
Rails Authorization and Security question rubyonrails-talk	3	136	July 25, 2009
Redirects in Rails rubyonrails-talk	1	135	November 17, 2011
two different areas, one password rubyonrails-talk	2	114	February 8, 2007
Devise login with user or admin models and Basecamp style subdomains rubyonrails-talk	0	192	January 6, 2011
How to apply filter on controller in module rubyonrails-talk	1	125	January 2, 2007

Authorization problem

Related topics

More Resources