Devise : clean way to only allow 1 single controller#action on condition X?

Question

What would be the best way to allow a logged-in user only access to a certain controller#action if condition X is met?

for example a user has deactivated his account ( user.is_deleted == true )
if the user logs in I want to redirect him to /reactivate
if the user tried any other url like /profiles /search it should redirect to /reactivate

I have tried before_filters in applicationcontroller with exceptions for the login and logout methods but they don't work correctly messup with other actions so im really looking for a clean way to do this, anyone a suggestion?

Currently im using the

def after_sign_in_path_for(resource)
  @user = User.where(:id => current_user.id).first

  if @user.is_deleted == true
    "/reactivate"
  end

end

BUT *this only works on user login* afterwards they can just do someting like /home /search etc So i want to "lock-down" the app. I have thought perhaps instead of custom code one would need to do this with something like can can.

Do you know a working maintainable clean way to do this?

EDIT:

Did something like this ( you see to messy and breaks )

  def welcome_redirect
    if user_signed_in?
      if not current_user.welcome == 0
        if not params[:controller] == "home" && params[:action] == "welcome"
          if not params[:controller] == "modal"
            if not params[:controller] == "profiles"
              redirect_to profiles_path
            end
          end
        end
      end
    end
  end

EDIT 2:

This seems to work:

      def ensure_account_not_deleted
    if user_signed_in?
      @user = User.where(:id => current_user.id).first
      if params[:controller] != "users" && params[:action] != "reactivate" && @user.is_deleted == true
        redirect_to '/reactivate'
      end
    end
  end

another before filter was messing with some values causing this not to work I just found out ! thx all for the suggestions leading to this solution *

@matzi updated the post with explanation and example on how I approach it now — Rubytastic, Sep 05 '12 at 11:32

Erez Rabih · Accepted Answer · 2012-09-05T11:54:03.740

1

What's wrong with:

#Application Controller

before_filter :ensure_account_not_deleted

def ensure_account_not_deleted
  if params[:controller] != "users" && parmas[:action] != "reactivate" && @user.is_deleted == true
    redirect_to '/reactivate'
  end
end

EDIT:

I wrote the code to exclude the reactivation from redirecting over and over again.

I assumed here two things:

The controllers which deals with reactivating is UsersController.
The action is called "reactivate"

edited Sep 05 '12 at 11:54

answered Sep 05 '12 at 11:37

Erez Rabih

15,562
3
47
64

That returns a The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. – Rubytastic Sep 05 '12 at 11:39
You are right, this is happening because I did not exclude the reactivation action from redirecting, that caused an infinite loop of redirection to '/reactivate'. I altered my code to better fit the question. – Erez Rabih Sep 05 '12 at 11:55
argh i got it working finally , another before filter was also messing around it's now solid i believe, tested it a few times – Rubytastic Sep 05 '12 at 12:11

score 0 · Answer 2 · answered Sep 05 '12 at 11:44

0

i also had similar checking that if a user account is deactivated then he shouldnt be able to access the application. i did

class SessionsController < Devise::SessionsController
  ....
  def create
    resource = build_resource
    #to check if user is active or the organisation he belongs to is active
    if current_user and current_user.organisation and (!current_user.is_active or !current_user.organisation.is_active)
      sign_out current_user
      flash[:notice] = "Account deactivated. Contact Admin."
      redirect_to root_path and return
    end
    super
  end
  ....
end

and added

before_filter :authenticate_user!

to all the controllers

answered Sep 05 '12 at 11:44

Prasad Surase

6,486
6
39
58

thx I tried it like that but this fails the redirect throws another browser error The page you are trying to view cannot be shown because an error in the data transmission was detected. this would only work on the create of a asession and the user will be logged out ( I need user to be loggedin) – Rubytastic Sep 05 '12 at 12:00
Please add a bit more info about your approach. I don't usually create a separate SessionsController for this. Not saying it is wrong, just a bit more higher level info about the approach would be helpful (and get + votes of course). – Michael Durrant Sep 05 '12 at 12:19

score 0 · Answer 3 · answered Sep 05 '12 at 12:55

i have the 'root_path as root :to => "sessions#new"'. In my application, every user(except super admin) belongs to a organisation. The super admin can activate/deactivate a user/organisation. if a user is deactivated then he shouldnt be alloewed to login. If the organisation is deactivated, no user belonging to that organisation should be allowed to login. I have overridden the Session controller because 1) maintain the user login/logout time with ip address n time for reports. 2) disallow a user who doesnt belong to a company from login. 3) to check if user is active or the organisation he belongs to is active

Devise : clean way to only allow 1 single controller#action on condition X?

3 Answers3