Reputation: 34145
devise_invitable: Only allow admin to invite users
I am using devise_invitable gem to enable invites in my app along with devise for a rails 3 app. I have a User & Profile model. In User, there is a role column which gives type of user.
Now, I would like to restrict feature of creating new invites only to admin by scoping this scoping route to devise/invitations#new where user.role=='admin' & open rest of the routes to everybody. something like this
MyApp::Application.routes.draw do
devise_for :users, skip: [:registrations, :invitations]
as :user do
get 'users/edit' => 'devise/registrations#edit', as: 'edit_user_registration'
put 'users' => 'devise/registrations#update', as: 'user_registration'
# manually define alll devise_invitable routes, except devise/invitations#new
# accept_user_invitation GET /users/invitation/accept(.:format) devise/invitations#edit
# user_invitation POST /users/invitation(.:format) devise/invitations#create
# also the #accept route goes here
end
resource :profile, except: :destroy
authenticated :user, lambda {|u| u.role == "admin"} do
resources :user, controller: "user"
#only allow admin to invite other users
# new_user_invitation GET /users/invitation/new(.:format) devise/invitations#new
end
root to: 'profiles#show'
end
Possible? Also, what the the better ways to do the same thing?
Upvotes: 4
Views: 5565
Answers (2)
Reputation: 1010
One simple way is just overwrite the authenticate_inviter! method in side of ApplicationController as follow:
class ApplicationController < ActionController::Base
...
private
def authenticate_inviter!
unless user.role=='admin'
redirect_to root_url, :alert => "Access Denied"
end
super
end
...
end
And include DeviseInvitable::Inviter module into your User model:
class User < ActiveRecord::Base
...
include DeviseInvitable::Inviter
...
end
Upvotes: 7
Reputation: 3384
What about leaving the standard routes alone and using a before_filter in the Invitations controller to check for admin status only for the new and create actions?
class Devise::InvitationsController < DeviseController
...
before_filter :is_admin?, :only => [:new, :create]
...
end
It looks like the devise_invitable gem actually uses this method internally as well:
class Devise::InvitationsController < DeviseController
before_filter :authenticate_inviter!, :only => [:new, :create]
before_filter :has_invitations_left?, :only => [:create]
before_filter :require_no_authentication, :only => [:edit, :update]
...
end
According to their Readme:
To change the controller’s behavior, create a controller that inherits from Devise::InvitationsController. The available methods are: new, create, edit, and update. You should read the original controllers source before editing any of these actions.
I would just copy their default controller and try adding my own custom is_admin? before_filter in there for the new and create actions. Of course you'll also have to define the is_admin? method that the before filter calls.
Upvotes: 6
Related Questions
- Log in user after accept invitation using rails with devise_invitable
- Allow only one user to be an admin with devise
- Devise: Allow only admin to sign in
- Devise invitation generate accept_invitation_url
- Devise Invitable display invited users
- Devise Invitable - Redirect to role based dashboard if access denied sending invitation
- Rails, Devise. Disallow User actions unless AdminUser
- How to invite an existing user through devise_invitable
- Devise Invitable - Restricting Access to Only invited users
- How to nest devise_invitable route to invite user to specific project