Home/ Questions/Q 8603453
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T02:19:35+00:00

I’m working through the Rails Tutorial, by Michael Hartl, and a question popped up,

  • 0

I’m working through the Rails Tutorial, by Michael Hartl, and a question popped up, as I was creating an admin user.

I followed the instructions, and created an admin_user, who has access to the :destroy method. It also isn’t attr_accessible, so people can’t simply put a put request via the browser and change themeselves to admin.

But, I have a two-part question–

1) How would I make a user admin?

I though I would need to write something like this in the console 

rails console
user = User.find(params[:101])
user.toggle!(:admin)

When I try that, I get

Undefined Local Variable or Method ‘Params’ for main:Object

2) Assuming that it is possible to make myself an admin, what’s stopping other people from making themselves admin using a command line as well?

Here’s a copy of the users_controller, I think Michael addressed this in the tutorial, and I followed his instructions, but I don’t get how the below code prevents someone from going to the command line and making themselves admin 

class UsersController < ApplicationController
  before_filter :signed_in_user, 
                only: [:edit, :update, :index, :destroy]
  before_filter :correct_user,   only: [:edit, :update]  
 before_filter :admin_user,     only: :destroy

  def destroy
    User.find(params[:id]).destroy
    flash[:success] = "User destroyed."
    redirect_to users_url
  end

  def index
    @users = User.paginate(page: params[:page])
  end

  def show
    @user = User.find(params[:id])
   end

  def new
    unless signed_in?
      @user = User.new
    else
      redirect_to @current_user
    end

  end

  def create
    unless signed_in?
      @user = User.new(params[:user])
      if @user.save
        sign_in @user
        flash[:success] = "Welcome to the Sample App!"
        redirect_to @user
      else
        render 'new'
      end
    else
      redirect_to @current_user
    end
  end

  def edit
  end

  def update
    if @user.update_attributes(params[:user])
      flash[:success] = "Profile updated"
      sign_in @user
      redirect_to @user
    else
      render 'edit'
    end
  end


  private

    def signed_in_user
      unless signed_in?
        store_location
        redirect_to signin_url, notice: "Please sign in."
      end
    end

    def correct_user
      @user = User.find(params[:id])
      redirect_to(root_path) unless current_user?(@user)
    end

def admin_user
      redirect_to(root_path) unless current_user.admin?
    end
end

I would really appreciate your help clearing things up!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. User.find(params[:101]) is appropriate only for http browser requests. If you visit http://www.example.com?101=test, then you can use params[:101] with value “test”. But in console you can’t use params unless you declare it. In your case the wright way will be User.find(101), if 101 is user id.
    2. Other people can’t make them admin because you didn’t add attr_accessible for admin field. How can they do it via command shell? They have no access to command line. If they are it’s a serious security breach.
    • 0