Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using rails 3.2 and devise 1.5.3.
I added an admin attribute in my model as described in option 2 on the devise wiki How To: Add an Admin Role
I added this in a post controller for force logins:
before_filter :authenticate_user!
I wrote some logic to hide the edit/new links in my views based on whether you’re an admin or not.
I feel like there’s more I should be doing.. Should I add anything else to new/edit/delete actions to make them more secure? If so, where?
your answer may be working but it is pretty difficult to ensure security in the whole app if you are using
some logic to hide the edit/new links in my viewsand I’m pretty sure no amount ofsecurity testingwould give you the feeling that maybe you are forgetting about somethingfor example I someone could log in,,,, (not having admin profile) and go to (in the URL),:
/users/edit/3and start damaging your valuable information….situation is: Devise only provides authentication,,, but authorization has to be enforced in some other way or else I could be able to do the above things…
for that I would highly recommend CanCan (from rbates ofcourse) which is the one I have tested personally and is PRETTY easy to configure just by reading the docs and examples in github….. hope it helps!