1

I have both Pundit and Devise setup and working correctly in my rails app. However I am unsure about how to let the user decide their role when signing up.

At the moment:

  • I have a URL param which is passed to the Devise new view.
  • In the form_for I set a hidden field called role to the value of the param.

This works.

But I am concerned that a malicious user could change this param to say "Admin" and now they are an admin.

How should I handle this? I don't want to put a restriction in the model as that will cause issues when I want to create an admin. Should I override the devise registrations controller to put a check in there?

Ecnalyr
  • 5,792
  • 5
  • 43
  • 89
Tom
  • 480
  • 4
  • 13

2 Answers2

1

After a fair amount of googling I have an answer. First stick some validation in your model for the roles Active Record Validations Guide: See 2.6 inclusion: validator option

After this your roles are validated to ensure they are correct, you could of course have a lookup table as well. Then you have two options:

  1. Use a conditional before_save Callback for new records. Then check if the new record has the role your protecting and if so raise an error. To catch later (in an overridden devise controller (see second option).
  2. Override the Devise registrations controller See this SO question. And put some checks in a completely overridden create action. Use the session to store the url param passed to the new action (also needs to be completely overridden). Then if the create action fails and redirects to new you still have access to the role in the session (as the param will be cleared from the URL unless you manipulate it).

So either way you need to override the registrations controller, its just a case of how much.

I suspect there is a way to do this with just Pundit. But I have yet to be able to get it to work.

Community
  • 1
  • 1
Tom
  • 480
  • 4
  • 13
1

You don't need to override Devise's RegistrationsController for what you're trying to do.

If you want admins to be able to create users that have an arbitrary role set, you could simply use your own controller. Devise still makes it easy to create a user yourself, so you'll just have to make a controller handling this. Of course, don't forget to protect it using Pundit so only admins can use this functionality.

This approach still works if you use the Confirmable module. As no confirmation e-mail will be sent on user creation, though, you'll either have to call user.confirm! after saving the model to immediately unlock the account, or manually send the confirmation e-mail using user.send_confirmation_instructions.

Edit:

This Pundit policy may or may not work for what you're trying to do. You will have to override the create action of Devise's RegistrationsController here in order to use Pundit's authorize method. For dryness' sake, you should also move the roles list elsewhere, perhaps into the model.

class UserPolicy < Struct.new(:current_user, :target_user)    
  def create?
    registration_roles.include?(target_user.role) if current_user.nil?
  end

  private

  def registration_roles
    %w(RED BLU Spectator)
  end
end
Community
  • 1
  • 1
Mel Kicchi
  • 188
  • 1
  • 12
  • That sounds great. But my main issue is stopping a new user from creating an account with a role such as "Admin" by changing the value of a hidden field in a form. If there is a new user I want to limit them to only be able to pick certain roles even if they update the hidden form field to a role I don't want them to have. I think a pundit policy can do this - but I am not sure how. – Tom Apr 10 '14 at 16:36
  • You're not supposed to put the role in the form. Just default it in the database, that would be the simplest solution. You can [fix this in a migration](http://api.rubyonrails.org/classes/ActiveRecord/ConnectionAdapters/SchemaStatements.html#method-i-change_column_default). Alternatively, you can use the `before_create` callback on your model for that if you wanted to. – Mel Kicchi Apr 10 '14 at 16:40
  • 1
    Ah, I see that you edited your comment. You could indeed do this in a Pundit policy. Let me edit my answer to add something. Note that I'm not familiar with Pundit (I've only used Authority myself), so YMMV with my code. – Mel Kicchi Apr 10 '14 at 16:43
  • Thanks for the edit. I shall give it a go at home - if it is ok I shall mark you as the answer :) – Tom Apr 10 '14 at 17:12