I have a sample Rails 3.1.1 application that I have set devise up to

Question

0

Editorial Team

Asked: June 1, 20262026-06-01T13:01:52+00:00 2026-06-01T13:01:52+00:00

I have a sample Rails 3.1.1 application that I have set devise up to

0

I have a sample Rails 3.1.1 application that I have set devise up to manage the user accounts etc.

I ran the following steps to add an admin attribute to the user table:

$ rails generate migration add_admin_to_user admin:boolean

Added the following to my migration:

class AddAdminToUser < ActiveRecord::Migration
  def self.up
    add_column :users, :admin, :boolean, :default => false
  end

  def self.down
    remove_column :users, :admin
  end
end

I then ran the db:migrate and added the following to my layout file:

<% if current_user.admin? %>
  You are ADMIN.
<%end %>

Then, to add the first admin user I used the following seed file:

puts 'SETTING UP DEFAULT USER LOGIN'
user = User.create! :name => 'Test User', :email => 'test@test.com', :password => 'password', :password_confirmation => 'password'
puts 'New user created: ' << user.name

That worked, so I then adapted it with the admin field:

puts 'SETTING UP DEFAULT USER LOGIN'
user = User.create! :name => 'Test User', :email => 'test@test.com', :password => 'password', :password_confirmation => 'password', :admin => 'true'
puts 'New user created: ' << user.name

The above seed file worked, but the admin flag isn’t being shown.

Have I missed something?

Update: model/user/rb

class User < ActiveRecord::Base
  # Include default devise modules. Others available are:
  # :token_authenticatable, :encryptable, :confirmable, :lockable, :timeoutable and :omniauthable
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable

  # Setup accessible (or protected) attributes for your model
  attr_accessible :name, :email, :password, :password_confirmation, :remember_me
end

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-01T13:01:53+00:00

Don’t add admin to attr_accessible. This could lead to a major security breach. A malicious user could send a PUT request as follows:

put /users/17?admin=1

which would grant user with id 17 admin privileges. The whole point of attr_accessible is to define which attributes are accessible to your model. This one in particular is probably not one you want available.

Instead, I suggest that you create your sample user with a rake file. Place a file (user_data.rake) in lib/tasks with the following and it should do the trick.

namespace :db do
  desc "Fill database with sample data"
  task populate: :environment do
    admin = User.create!(name: "Test User",
                 email: "test@test.com",
                 password: "password",
                 password_confirmation: "password")
    admin.toggle!(:admin)
  end
end

This defines a task db:populate and should be all you need for creating your sample user.

Having already done a db:migrate, just run db:reset, db:populate.

Note the admin.toggle!. That is where the magic happens.

The toggle method should be used with caution since it bypasses callbacks and validations you have defined for your model. In the case I’ve mentioned, since you are using it from a rake task manually there is no risk that it could be used maliciously in mass-assignment. You can find more information on the toggle method here: http://apidock.com/rails/ActiveRecord/Base/toggle

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a sample Rails 3.1.1 application that I have set devise up to

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply