How to restrict access to different pages in Rails?
I have controller Users:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
end
def index
@users = User.paginate(page: params[:page], per_page: 25)
end
......
end
Now users profiles are at /users/1, /users/2, etc. and list of users is at /users/.
I want to give special access:
- user can see only own profile
- admin can see the list of users and any profile
How can I restrict access this way?
ruby-on-rails
add a comment |
I have controller Users:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
end
def index
@users = User.paginate(page: params[:page], per_page: 25)
end
......
end
Now users profiles are at /users/1, /users/2, etc. and list of users is at /users/.
I want to give special access:
- user can see only own profile
- admin can see the list of users and any profile
How can I restrict access this way?
ruby-on-rails
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 '18 at 20:12
you can use cancan or rolify and combine it with devise'scurrent_user
method. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal tocurrent_user.id
else throw him to default page.
– Gagan Gupta
Nov 23 '18 at 7:46
add a comment |
I have controller Users:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
end
def index
@users = User.paginate(page: params[:page], per_page: 25)
end
......
end
Now users profiles are at /users/1, /users/2, etc. and list of users is at /users/.
I want to give special access:
- user can see only own profile
- admin can see the list of users and any profile
How can I restrict access this way?
ruby-on-rails
I have controller Users:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
end
def index
@users = User.paginate(page: params[:page], per_page: 25)
end
......
end
Now users profiles are at /users/1, /users/2, etc. and list of users is at /users/.
I want to give special access:
- user can see only own profile
- admin can see the list of users and any profile
How can I restrict access this way?
ruby-on-rails
ruby-on-rails
edited Nov 22 '18 at 20:02
mechnicov
asked Nov 22 '18 at 19:55
mechnicovmechnicov
345111
345111
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 '18 at 20:12
you can use cancan or rolify and combine it with devise'scurrent_user
method. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal tocurrent_user.id
else throw him to default page.
– Gagan Gupta
Nov 23 '18 at 7:46
add a comment |
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 '18 at 20:12
you can use cancan or rolify and combine it with devise'scurrent_user
method. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal tocurrent_user.id
else throw him to default page.
– Gagan Gupta
Nov 23 '18 at 7:46
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 '18 at 20:12
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 '18 at 20:12
you can use cancan or rolify and combine it with devise's
current_user
method. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal to current_user.id
else throw him to default page.– Gagan Gupta
Nov 23 '18 at 7:46
you can use cancan or rolify and combine it with devise's
current_user
method. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal to current_user.id
else throw him to default page.– Gagan Gupta
Nov 23 '18 at 7:46
add a comment |
4 Answers
4
active
oldest
votes
Assuming you have a current_user
defined and your User
class has an admin
attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
add a comment |
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
add a comment |
I would probably handle this by having two different endpoints, something like /profile
and /admin/users/1
. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
add a comment |
Considering your url user/1/
you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437361%2fhow-to-restrict-access-to-different-pages-in-rails%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Assuming you have a current_user
defined and your User
class has an admin
attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
add a comment |
Assuming you have a current_user
defined and your User
class has an admin
attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
add a comment |
Assuming you have a current_user
defined and your User
class has an admin
attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
Assuming you have a current_user
defined and your User
class has an admin
attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
answered Nov 22 '18 at 21:09
Yechiel KYechiel K
398511
398511
add a comment |
add a comment |
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
add a comment |
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
add a comment |
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
answered Nov 22 '18 at 20:07
NeodelfNeodelf
91113
91113
add a comment |
add a comment |
I would probably handle this by having two different endpoints, something like /profile
and /admin/users/1
. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
add a comment |
I would probably handle this by having two different endpoints, something like /profile
and /admin/users/1
. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
add a comment |
I would probably handle this by having two different endpoints, something like /profile
and /admin/users/1
. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
I would probably handle this by having two different endpoints, something like /profile
and /admin/users/1
. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
answered Nov 23 '18 at 2:56
lobatilobati
2,51032140
2,51032140
add a comment |
add a comment |
Considering your url user/1/
you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
add a comment |
Considering your url user/1/
you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
add a comment |
Considering your url user/1/
you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
Considering your url user/1/
you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
answered Nov 24 '18 at 2:03
MaxenceMaxence
6451616
6451616
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437361%2fhow-to-restrict-access-to-different-pages-in-rails%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 '18 at 20:12
you can use cancan or rolify and combine it with devise's
current_user
method. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal tocurrent_user.id
else throw him to default page.– Gagan Gupta
Nov 23 '18 at 7:46