Reputation: 2908
Rails - Making a page viewable to admin only
I have a super simple question. I have a page that lists all the products in my app. I just want to make that page view-able by admin only. But products/new I want everyone to be able to see clearly.
schema.rb
create_table "users", :force => true do |t|
t.string "email"
t.string "password_hash"
t.string "password_salt"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.string "name"
t.boolean "admin", :default => false
end
products controller
class ProductsController < ApplicationController
before_filter :require_login
before_filter :current_user, only: [:create, :destory]
before_filter :correct_user, only: :destory
def index
@products = Product.all
end
def new
@product = Product.new
end
def create
@product = current_user.products.new(params[:product])
if @product.valid?
@product.save
render "show", :notice => "Sale created!"
else
render "new", :notice => "Somehting went wrong!"
end
end
Upvotes: 4
Views: 3898
Answers (6)
Reputation:
Put in your controller
before_filter :authorize_admin, only: :index
and in application_controller.rb
def authorize_admin
redirect_to :back, status: 401 unless current_user.admin
#redirects to previous page
end
Upvotes: 8
Reputation: 8220
add correct_user method and admin_user method under private on your controller or create another method with following defination and add :only => :index on before_filter for admin.
before_filter :require_login
before_filter :correct_user
before_filter :admin_user, :only => :index
private
def correct_user
redirect_to(root_path) if current_user.nil? && !current_user.admin?
end
def admin_user
redirect_to(root_path) unless current_user.admin?
end
Upvotes: 1
Reputation: 8382
in your ProductsController you can add a function that verify if the user is an admin or not and use filter for the view you want to protect like this :
class ProductsController < ApplicationController
before_filter :admin_user, only: :index # here you specify the action (for views) to protect
.
.
.
private
.
.
def admin_user
redirect_to(root_url) unless current_user.admin?
end
end
i hope that help you
Upvotes: 1
Reputation: 257
In your controller write
before_filter :admin_user
and create a def like this
private
def admin_user
redirect_to(root_path) unless current_user && current_user.admin?
end
Upvotes: 2
Reputation: 7978
What have you tried? It's not exactly a thought-provoking question, you have an boolean for admin, and you want to restrict an action to admin only, so just check current_user.admin.
before_filter :require_admin, only: :index
private
def require_admin
if !current_user.admin
if request.xhr?
head :unauthorized # for asynchronous/api requests, if you want.
else
render 'access/no_access' and return # or whatever.
end
end
end
Upvotes: 1
Reputation: 3070
Check Railscasts Episode Super Simple Authentication.
Actually, Ryan Bates is a big fan of making authentication from scratch, he made many episode on this topics. Have a look on them and you will surely get some good ideas.
Upvotes: -1
Related Questions
- Rails Admin -> only access if user have role admin
- How to restrict access to different pages in Rails?
- How do I only display a page if conditions are met i.e. if current logged in user is an admin?
- How to allow only the admin to view link
- How to make the whole site accessible by the single admin only
- How to allow only Admin (or some user) to edit the pages in Rails?
- How to hide some pages from users and only show it to Admin ?
- Rails allow access to one page without restricting the whole controller
- How do I protect a specific page from being viewing with out login in ruby on rails
- Rails Way to Restrict Page Access Without Sessions