2

I have a Rails 4 app. It is working with devise 3.2.3. devise is properly integrated. At this point, users can register with email and password, sign in and perform CRUD operations.

Now here is what I would like to do: Instead of having any user to sign up by themselves, I want to create an admin. The admin would retain the responsibility of creating users. I don't want users to sign up by themselves. Basically the admin will create the user, issue them their log-in credentials, and email it to them.

I read this post and similar ones in SO and in devise wikis to no avail.

I have added a boolean field to users table to identify admin users.

class AddAdminToUser < ActiveRecord::Migration
  def change
    add_column :users, :admin, :boolean, :default => false
  end
end

I have read about managing users using cancan but I don't know how to use it to achieve my objective The solution i'm looking for would probably require a combination of devise and cancan.

I would appreciate any guidance on this matter.

Community
  • 1
  • 1
Wally Ali
  • 2,500
  • 1
  • 13
  • 20
  • The [rails_admin gem](https://github.com/sferik/rails_admin) is pretty great for user management among other things. It gets you up and running quickly with an admin interface. – Joe Kennedy May 27 '14 at 01:18
  • @JKen13579 thanks for the tip. I'll check it out. – Wally Ali May 27 '14 at 01:23

1 Answers1

0
  1. Make sure that the boolean :admin is not in your params.permit() area for strong parameters.
  2. Use the pundit gem, it is maintained and pretty much plain old ruby objects.

Then in your UserPolicy you would do something like this

class UserPolicy < ApplicationPolicy
  def create?
    user.admin?
  end
end

And your model would look something like this

class User < ActiveRecord::Base
  def admin?
    admin
  end
end

Last in your controller you make sure that the user is authorized to do the action

class UserController < ApplicationController 
  def create
    @user = User.new(user_params)
    authorize @user
  end
end

You would probably also want to restrict the buttons that are shown that would give access to the admin user creation section. Those can be done with pundit as well.

Austio
  • 5,939
  • 20
  • 34
  • so I need to create `userscontroller`? what do I do for `routes`? – Wally Ali May 27 '14 at 02:32
  • why is the `UserController` inheriting from `ActionController`? i'm getting `superclass must be a Class (Module given)` error message – Wally Ali May 27 '14 at 02:36
  • Typo on my end, updated it, your routes do what they normally do in the app, whether you do it through resources :users or otherwise. This way your code takes care of the authorization. – Austio May 27 '14 at 02:47
  • thanks for the responses. where is `authorize` defined at? why aren't you saving the new user? for some reason now i'm getting: `param not found: user`. my params method has this code: `params.require(:user).permit(:email)`. I do have the `email` attribute in `users` table – Wally Ali May 27 '14 at 03:11
  • This was just the authorization logic, you would still need to render out saving based on how you are doing that (json, html, whatever). authorize is through pundit. Sounds like you have having trouble with strong parameters. Post your strong paramters part from the controller in your original post and i'll take a check. – Austio May 27 '14 at 13:21
  • hey Austio, thanks for helping out. I opted to using `admin_rails` and `cancancan` which is now working for me. – Wally Ali May 27 '14 at 15:57