How to restrict access to different pages in Rails?
I have controller Users:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
end
def index
@users = User.paginate(page: params[:page], per_page: 25)
end
......
end
Now users profiles are at /users/1, /users/2, etc. and list of users is at /users/.
I want to give special access:
- user can see only own profile
- admin can see the list of users and any profile
How can I restrict access this way?
ruby-on-rails
asked Nov 22 at 19:55
mechnicov
4119
add a comment |
I have controller Users:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
end
def index
@users = User.paginate(page: params[:page], per_page: 25)
end
......
end
Now users profiles are at /users/1, /users/2, etc. and list of users is at /users/.
I want to give special access:
- user can see only own profile
- admin can see the list of users and any profile
How can I restrict access this way?
ruby-on-rails
asked Nov 22 at 19:55
mechnicov
4119
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 at 20:12
you can use cancan or rolify and combine it with devise'scurrent_usermethod. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal tocurrent_user.idelse throw him to default page.
– Gagan Gupta
Nov 23 at 7:46
add a comment |
I have controller Users:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
end
def index
@users = User.paginate(page: params[:page], per_page: 25)
end
......
end
Now users profiles are at /users/1, /users/2, etc. and list of users is at /users/.
I want to give special access:
- user can see only own profile
- admin can see the list of users and any profile
How can I restrict access this way?
ruby-on-rails
asked Nov 22 at 19:55
mechnicov
4119
I have controller Users:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
end
def index
@users = User.paginate(page: params[:page], per_page: 25)
end
......
end
Now users profiles are at /users/1, /users/2, etc. and list of users is at /users/.
I want to give special access:
- user can see only own profile
- admin can see the list of users and any profile
How can I restrict access this way?
ruby-on-rails
ruby-on-rails
asked Nov 22 at 19:55
mechnicov
4119
asked Nov 22 at 19:55
mechnicov
4119
edited Nov 22 at 20:02
asked Nov 22 at 19:55
mechnicov
4119
asked Nov 22 at 19:55
mechnicov
4119
asked Nov 22 at 19:55
mechnicov
4119
4119
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 at 20:12
you can use cancan or rolify and combine it with devise'scurrent_usermethod. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal tocurrent_user.idelse throw him to default page.
– Gagan Gupta
Nov 23 at 7:46
add a comment |
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 at 20:12
you can use cancan or rolify and combine it with devise'scurrent_usermethod. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal tocurrent_user.idelse throw him to default page.
– Gagan Gupta
Nov 23 at 7:46
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 at 20:12
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 at 20:12
you can use cancan or rolify and combine it with devise's
current_user method. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal to current_user.id else throw him to default page.– Gagan Gupta
Nov 23 at 7:46
you can use cancan or rolify and combine it with devise's
current_user method. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal to current_user.id else throw him to default page.– Gagan Gupta
Nov 23 at 7:46
add a comment |
4 Answers
4
active
oldest
votes
Assuming you have a current_user defined and your User class has an admin attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
answered Nov 22 at 21:09
Yechiel K
398411
add a comment |
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
answered Nov 22 at 20:07
Neodelf
81112
add a comment |
I would probably handle this by having two different endpoints, something like /profile and /admin/users/1. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
answered Nov 23 at 2:56
lobati
2,45532140
add a comment |
Considering your url user/1/ you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
answered Nov 24 at 2:03
Maxence
6401616
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437361%2fhow-to-restrict-access-to-different-pages-in-rails%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Assuming you have a current_user defined and your User class has an admin attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
answered Nov 22 at 21:09
Yechiel K
398411
add a comment |
Assuming you have a current_user defined and your User class has an admin attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
answered Nov 22 at 21:09
Yechiel K
398411
add a comment |
Assuming you have a current_user defined and your User class has an admin attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
answered Nov 22 at 21:09
Yechiel K
398411
Assuming you have a current_user defined and your User class has an admin attribute you can do the following:
class UsersController < ApplicationController
......
def show
@user = User.find(params[:id])
if current_user.admin || @user == current_user
# render the show screen
else
# redirect to wherever
end
end
def index
if current_user.admin
@users = User.paginate(page: params[:page], per_page: 25)
# render the index screen
else
# redirect to wherever
end
end
......
end
Or you could just use one of the plenty of authorization gems out there, like cancancan or pundit.
answered Nov 22 at 21:09
Yechiel K
398411
answered Nov 22 at 21:09
Yechiel K
398411
answered Nov 22 at 21:09
Yechiel K
398411
answered Nov 22 at 21:09
Yechiel K
398411
398411
add a comment |
add a comment |
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
answered Nov 22 at 20:07
Neodelf
81112
add a comment |
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
answered Nov 22 at 20:07
Neodelf
81112
add a comment |
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
answered Nov 22 at 20:07
Neodelf
81112
You should use ACL libraries like cancancan or pundit or from ruby-toolbox.com
answered Nov 22 at 20:07
Neodelf
81112
answered Nov 22 at 20:07
Neodelf
81112
answered Nov 22 at 20:07
Neodelf
81112
answered Nov 22 at 20:07
Neodelf
81112
81112
add a comment |
add a comment |
I would probably handle this by having two different endpoints, something like /profile and /admin/users/1. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
answered Nov 23 at 2:56
lobati
2,45532140
add a comment |
I would probably handle this by having two different endpoints, something like /profile and /admin/users/1. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
answered Nov 23 at 2:56
lobati
2,45532140
add a comment |
I would probably handle this by having two different endpoints, something like /profile and /admin/users/1. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
answered Nov 23 at 2:56
lobati
2,45532140
I would probably handle this by having two different endpoints, something like /profile and /admin/users/1. Then you have different controllers for them:
UserProfileController < ApplicationController
def show
@user = current_user
end
end
and:
class Admin::UsersController < AdminController
def show
@user = User.find(params[:id])
render 'user_profile/show' # or another template if you like
end
end
class AdminController < ApplicationController
before_action :ensure_admin
def ensure_admin
if !current_user.admin?
raise ActionController::RoutingError, 'Not Found'
end
end
end
answered Nov 23 at 2:56
lobati
2,45532140
answered Nov 23 at 2:56
lobati
2,45532140
answered Nov 23 at 2:56
lobati
2,45532140
answered Nov 23 at 2:56
lobati
2,45532140
2,45532140
add a comment |
add a comment |
Considering your url user/1/ you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
answered Nov 24 at 2:03
Maxence
6401616
add a comment |
Considering your url user/1/ you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
answered Nov 24 at 2:03
Maxence
6401616
add a comment |
Considering your url user/1/ you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
answered Nov 24 at 2:03
Maxence
6401616
Considering your url user/1/ you grab the param id and compare it to the current user ID in a hook :
before_action :auth_user
private
def auth_user
unless params[:id].to_s == current_user.id.to_s
redirect_to root_path
end
Regarding the admin you probably have a dedicated namespace, with even more thorough checks, where you can see user profiles.
answered Nov 24 at 2:03
Maxence
6401616
answered Nov 24 at 2:03
Maxence
6401616
answered Nov 24 at 2:03
Maxence
6401616
answered Nov 24 at 2:03
Maxence
6401616
6401616
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437361%2fhow-to-restrict-access-to-different-pages-in-rails%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
There are many, many ways this could be done. There are libraries that do it, you could spin a drop-dead simple approach (hint: all you need to do is check the role of the current user and show the appropriate page). There are many tutorials that cover both rolling your own and using libraries. As worded now the question is quite broad.
– Dave Newton
Nov 22 at 20:12
you can use cancan or rolify and combine it with devise's
current_usermethod. If the user is admin then allow him otherwise check whether the id of the profile he is visiting is equal tocurrent_user.idelse throw him to default page.– Gagan Gupta
Nov 23 at 7:46