Only allow admin to create new admin

Question

My blog has a devise model called Admin.

I definitely don't want that visitors of my website can register as an admin. So I did the following:

In my config/routes.rb

devise_for :admins, controllers: { registrations: "registrations" }

After that I created a new app/controllers/registrations_controller.rb

class RegistrationsController < Devise::RegistrationsController
  before_action :authenticate_admin!
end

But when I visit my my.site/admins/sign_up as a "normal visitor" the authenticate_admin! hook is not called - so I get a full working registration form. Why isn't this working as expected?

score 1 · Accepted Answer · edited May 23 '17 at 12:32

1

The accepted answer from this question may help. To summarize, Devise's RegistrationsController skips authentication by default:

prepend_before_action :require_no_authentication, only: [:new, :create, :cancel]

So, skip it and your before_action should work:

class RegistrationsController < Devise::RegistrationsController
  skip_before_action :require_no_authentication
  before_action :authenticate_scope!
end

edited May 23 '17 at 12:32

Community

1
1

answered Jul 17 '16 at 01:11

vich

11,836
13
49
66

Thank you. Almost worked for me. As Lamp pointed out beneath the accepted answer in your linked question I had to replace `authenticate_admin!` with `authenticate_scope!`. If you change your answer to this I can accept it. – zarathustra Jul 17 '16 at 15:02

Only allow admin to create new admin

1 Answers1