Authorization problem

luislavena · May 25, 2011, 5:04pm

Hello everyone,

I want to add authorization to my Rails app. As I am using devise for
authentication, so I add an admin field to User model.

class User
…
field :admin, :type => Boolean, :default => false
…
end

In the controller, I add a method like this:

class ApplicationController < ActionController::Base
…
private
def authenticate_admin
if current_user
return current_user.admin?
end
end
end

In the admin namespace controller:

class Admin::HomeController < ApplicationController
before_filter :authenticate_admin
…
end

But it didn’t work here, I mean, I can still access backend with a
user account even if the admin field of the account is false.
Can somebody tell me why?

Thanks!

Tomato · May 25, 2011, 5:08pm

On May 25, 3:32pm, Tomato [email protected] wrote:

class Admin::HomeController < ApplicationController
before_filter :authenticate_admin
…
end

But it didn’t work here, I mean, I can still access backend with a
user account even if the admin field of the account is false.
Can somebody tell me why?

Not familiar with devise, but your before filter isn’t actually doing
anything. If the user isn’t an admin then you probably want to
redirect them to a login page or show an ‘access denied’ template

Fred

Tomato · May 25, 2011, 5:17pm

Thank you very much! It works!

On May 25, 11:07am, Frederick C. [email protected]

Tomato · May 25, 2011, 6:50pm

You may also use a specific Admin model and authentication scheme with
Devise, I found it easier to manage specific admin tasks not related
to web site pages for users

devise_for :users, :controllers => { :sessions => "users/

sessions", :passwords => “users/passwords”, :registrations => “users/
registrations”, :confirmations => “users/confirmations”, :unlocks =>
“users/unlocks” } do
…t
end
devise_for :admins, :controllers => { :sessions => “admins/
sessions”, :passwords => “admins/passwords”, :registrations => “admins/
registrations” }

and you need in your controllers :

before_filter :authenticate_admin!

I have both and I use Cancan ( abilities based on roles in each
area)

Tomato · May 25, 2011, 7:34pm

I have considered both ways you mentioned, but it seems not necessary
to use such methods as it is just a little app.

Maybe I will use cancan in the future when necessary.

Thank you anyway!