Home/ Questions/Q 7562915
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T13:31:52+00:00

So I am using STI to incorporate some roles into my users table. Right

  • 0

So I am using STI to incorporate some roles into my users table. Right now I just have normal users and admins. I have installed Rails_admin and I need a way to authenticate admins but I am not sure how to do it safely.

Right now I have this code in my Application Controller

def authenticate_admin!(opts={})
  current_admin || redirect_to(?)
end

def current_admin
  current_user if current_user.is_a? Admin
end

In My rails_admin.rb file i have this

config.authenticate_with do
 authenticate_admin!
end

My current issue is that I cannot get the redirect_to to actually direct to anything. I keep getting errors. Also is a simple redirect if the user isn’t an admin all I need? Is that best practice and most secure? Am I going in the right direction here? Any help would be appreciated. Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok, a couple things:

    1) CanCan is pretty easy to use and worth the minor installation. Here’s an example of what app/models/ability.rb might look like if you have two user instance methods is_admin? and is_reviewer?

    class Ability
  include CanCan::Ability
  def initialize(user)
    if user && user.is_reviewer?
      can :access, :rails_admin
      can :dashboard
      cannot :read, [Class1, Class2, Class3]
      can :read, Class4
    end
    if user && user.is_admin?
      can :access, :rails_admin
      can :manage, :all
    end
  end
end

    Your RailsAdmin config would contain the following:

    RailsAdmin.config do |config|
  config.authorize_with :cancan
  ...
end

    And don’t forget, you’ll have to add cancan to your Gemfile to be installed as a dependency.

    2) Next, and probably more valuable, is that you don’t want to throw the redirect code in the authenticate method. Instead, you might want to add the following to ApplicationController:

    rescue_from Acl9::AccessDenied do |exception|
  respond_to do |format|
    format.json do
      render :json => { :success => false, :message => "You do not have access to do this action." }
    end
    format.html do
      flash[:error] = 'You do not have access to view this page.'
      redirect_to root_url
    end
  end
end

    Or just:

    rescue_from Acl9::AccessDenied do |exception|
  flash[:error] = 'You do not have access to view this page.'
  redirect_to root_url
end
    • 0