Reputation: 244
What is the proper way to validate that a User's admin attribute is set to true in your controllers?
I have a Devise User model with the attribute admin of type boolean. How can I specify in my controllers that only want certain actions to be available if admin = true? Would the following authorize method work?
def authorize
redirect_to login_url, alert:"Not authorized" if current_user.admin == false
end
Here is my Users table, admin is a boolean.
create_table "users", force: true do |t|
t.string "email", default: "", null: false
t.string "encrypted_password", default: "", null: false
t.string "reset_password_token"
t.datetime "reset_password_sent_at"
t.datetime "remember_created_at"
t.integer "sign_in_count", default: 0, null: false
t.datetime "current_sign_in_at"
t.datetime "last_sign_in_at"
t.string "current_sign_in_ip"
t.string "last_sign_in_ip"
t.datetime "created_at"
t.datetime "updated_at"
t.boolean "admin", default: false
t.string "image_file_name"
t.string "image_content_type"
t.integer "image_file_size"
t.datetime "image_updated_at"
t.string "name"
end
Output of current_user inside the authorize_admin method using Pry:
NameError: undefined local variable or method `current_user' for :authorize_admin:Symbol
I am using devise so shouldn't current_user work?
Here is the output of User.first in the console:
#<User id: 1, email: "[email protected]", encrypted_password:
"$2a$10$RCgzx7PJho4vegbf8Z04eumTGB1RyDl5YvDeCAMz7g3...", reset_password_token: nil,
reset_password_sent_at: nil, remember_created_at: nil, sign_in_count: 5,
current_sign_in_at: "2014-10-25 23:42:17", last_sign_in_at: "2014-10-23 00:57:07",
current_sign_in_ip: "127.0.0.1", last_sign_in_ip: "127.0.0.1", created_at:
"2014-10-10
19:24:39", updated_at: "2014-10-25 23:42:17", admin: false, image_file_name: nil,
image_content_type: nil, image_file_size: nil, image_updated_at: nil, name: nil>
Upvotes: 2
Views: 364
Answers (2)
Reputation: 9173
How can I specify in my controllers that only want certain actions to be available if admin = true?
You can use rails before filter to achieve it. You can define your authorize method in application controller, which will make this method available in all of your controllers.
class ApplicationController < ActionController::Base
private
def authorize
redirect_to login_url, alert:"Not authorized" if current_user.try(:admin) == false
end
end
Now inside controller you can set before filter for methods you want to authorize.
class HomeController < ApplicationController
before_action :authorize, only: [:your_action_name]
def your_action_name
#some action
end
end
If your code has a lot of customisation depending on admin and normal users then you can also use cancancan
Upvotes: 1
Reputation: 2089
I use the Declarative Authorization gem to control user access to controller actions and highly recommend it. It allows you to set up categories of users and then control which group has access to which controller actions. It's powerful, flexible and pretty easy to set up.
Upvotes: 0
Related Questions
- Validation in model only if current_user is admin - Rails
- Attribute validation based on user role
- Michael Hartl's Rails 5 tutorial chapter 10, listing 10.56, test if the admin attribute is forbidden
- Rails, can validate a user crating a record is admin, from the model?
- Rails before action check if admin
- user validation for admin presence
- How do i check if my user is admin in rails?
- Validations with Active Admin
- How to check if the user should be assigned the role admin
- Rails security validations in controller?