0

I am trying to create a simple page where any visitor can read the weekly posts. I want there to only be 1 admin that can edit or create new posts.

How would I go about creating this?

I started with devise but theoretically anyone can go to the new_user_registration path and create a new user that would have access to the edit & new actions. How would I be able to restrict any new accounts from being created after the one I create? Or ideally limit the actions that any user that is not an admin can use?

I looked into Pundit for authorization but it seems like it is too much for such a simple task, is there a more simple way to do this with Rails?

coderwannabe2
  • 221
  • 1
  • 2
  • 12

2 Answers2

0

You simply can add a new attribute to your User model that define if the instantiated user is an admin or not, for example. Let's call this attribute isAdmin An in your edit controller you can do the following:

if user.isAdmin==true
# your edition code here
else
#redirect
end
Walid Da.
  • 948
  • 1
  • 7
  • 15
  • Hmmm so add an admin column to the user model & then I would have to add the Admin property to the specific user via my console is this correct? – coderwannabe2 Jan 31 '15 at 19:03
  • Yes, using the console would be an option. – Walid Da. Jan 31 '15 at 19:05
  • Oh that's a good question. You can for example make users ask for being admin using another dedicated controller (and views) and if you accept, isAdmin variable will be set to true. – Walid Da. Feb 01 '15 at 11:38
0

If you just want to have 1 user, a single administrator, with a login and password, and no other user accounts, then I would recommend HTTP Digest Auth, which is supported by rails out-of-the-box and doesn't require any extra gems or plugins. (Or HTTP Basic Auth, but digest auth is a little more secure.)

Most of the following is taken from the action controller guide on the rails website.

In config/routes.rb:

resources :posts

In controllers/posts_controller.rb:

class PostsController < ActionController::Base
USERS = { "admin" => "password" }

before_action :authenticate, except: [:index, :show]

# actions here (index, show, new, create, edit, update, destroy) 

private
  def authenticate
    authenticate_or_request_with_http_digest do |username|
      USERS[username]
    end
  end
end

If you want, you can modify the routes so that the new/create/edit/update/destroy actions are in the 'admin/' part of the website:

In config/routes.rb:

scope '/admin' do
  resources :posts, except: [:index, :show]
end
resources :posts, only: [:index, :show]

This will still direct all post-related requests to the PostsController.

Michael Hewson
  • 1,444
  • 13
  • 21
  • I am not entirely sure I understand this. Would I have to create the admin account & password in my console. Otherwise how would the authenticate method fetch the password to authenticate? – coderwannabe2 Feb 01 '15 at 10:39
  • I'm not sure I know what you mean, but `authenticate_or_request_with_http_digest` takes a block; that block is given the username as the first argument, and must return the password. – Michael Hewson Feb 08 '15 at 20:35