How to allow only Admin (or some user) to edit the pages in Rails?

Question

I have a scaffold Finances and I just realized that it can be edited by any logged in user by going to /finances/1/edit

I have installed activ_admin gem but I don't think it is what I need. How to make sure other than admin (or may be some users) no one can edit finances resource type- I

EDIT - I found https://github.com/EppO/rolify, is this best option or I still can do something better as it may be overkill ?

EDIT 1 - I went through this https://github.com/EppO/rolify/wiki/Tutorial and have assigned role "admin" to user = User.find(1), everything went well upto "ability.can? :manage, :all" in console, which shows TRUE for user 1 and false for other users. Now I am not able to figure out what to do ? I can still see all users being able to edit the page even though I have added "resourcify" in the finance.rb model. Any help ?

@zeantsoi - added some more info in the question. I am trying cancan + rolify method though still stuck — iCyborg, Apr 18 '13 at 10:36
Have you put load_and_authorize_resource into your finance controller as suggested by https://github.com/ryanb/cancan — Abram, Apr 19 '13 at 07:17

score 3 · Answer 1 · answered Apr 17 '13 at 05:46

3

I'm not sure how your models are set up, but lets say your User model has an admin column, you can do the following:

FinancesController < ApplicationController
  before_filter :must_be_admin, only: :edit

  def edit
    ...
  end

  private

  def must_be_admin
    unless current_user && current_user.admin?
      redirect_to root_path, notice: "Some message"
    end
  end
end

You can add any actions needed to the before filter, e.g. before_filter :must_be_admin, only: [:edit, :destroy]

answered Apr 17 '13 at 05:46

mind.blank

4,820
3
22
49

Hi, I went through this https://github.com/EppO/rolify/wiki/Tutorial and have assigned role "admin" to user = User.find(1), everything went well upto "ability.can? :manage, :all" in console, which shows TRUE for user 1 and false for other users. Now I am not able to figure out what to do ? I can still see all users being able to edit the page even though I have added "resourcify" in the finance.rb model. Any help ? Thanks – iCyborg Apr 18 '13 at 10:33

score 3 · Accepted Answer · edited May 23 '17 at 10:29

3

Well, I personally use rolify for my project and love it.. but to be honest this is super easy to achieve by simply adding a column "admin" to your User model and having it default to false. When you want a user to be an admin update the attribute to true and then require the User.admin==true to access the finances edit action... You can do this by redirecting the non-admin user from the controller (within the finances edit action)

By the way if you're using devise for auth check out Devise before_filter authenticate_admin?

edited May 23 '17 at 10:29

Community

1
1

answered Apr 17 '13 at 05:47

Abram

39,950
26
134
184

yes I am using devise, I see https://github.com/plataformatec/devise/wiki/How-To:-Add-an-Admin-role, which is nice so should I use that or should go with rolify ? also can't I just use "if uid == 1" or similar code in controller ? – iCyborg Apr 17 '13 at 06:19
Yeah, you could do it that way.. and yes, if you just have this simple case and no other need for roles in your site, I would just go with the devise wiki link method :) – Abram Apr 17 '13 at 06:29
Hi, I went through this https://github.com/EppO/rolify/wiki/Tutorial and have assigned role "admin" to user = User.find(1), everything went well upto "ability.can? :manage, :all" in console, which shows TRUE for user 1 and false for other users. Now I am not able to figure out what to do ? I can still see all users being able to edit the page even though I have added "resourcify" in the finance.rb model. Any help ? Thanks – iCyborg Apr 18 '13 at 10:33
So you've added this to your ability.rb file in app/models? if user.has_role? :admin can :manage, :all else can :read, :all end – Abram Apr 18 '13 at 21:23
1

Hey buddy, me again ... I did some digging .. check this out http://stackoverflow.com/questions/16096763/what-is-the-purpose-of-rolify – Abram Apr 19 '13 at 03:36

zeantsoi · Answer 3 · 2013-04-17T05:56:22.697

2

If you're looking to add sensible user authorization without rolling your own solution, definitely check out CanCan. Also helpful is this screencast by its author, Ryan Bates.

edited Apr 17 '13 at 05:56

answered Apr 17 '13 at 05:44

zeantsoi

25,857
7
69
61

Hi, I went through this https://github.com/EppO/rolify/wiki/Tutorial which installs cancan + rolify and have assigned role "admin" to user = User.find(1), everything went well upto "ability.can? :manage, :all" in console, which shows TRUE for user 1 and false for other users. Now I am not able to figure out what to do ? I can still see all users being able to edit the page even though I have added "resourcify" in the finance.rb model. Any help ? Thanks – iCyborg Apr 18 '13 at 10:34
Please update your question with some code. It is difficult to diagnose what's going on without seeing what you're working with. – zeantsoi Apr 18 '13 at 15:20

How to allow only Admin (or some user) to edit the pages in Rails?

3 Answers3