21

I want that only my users who have their attribute is_admin set to true to be able to access my active admin backend

how should I do this?

"Normal" users should only be able to login to the site, not to active admin.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Jasper Kennis
  • 3,225
  • 6
  • 41
  • 74

2 Answers2

41

In config/initializers/active_admin.rb you have such config:

config.authentication_method = :authenticate_admin_user!

so if you create a method named authenticate_admin_user! in the ApplicationController, then ActiveAdmin will check if the user can go to the admin pages or not. Like this:

# restrict access to admin module for non-admin users
def authenticate_admin_user!
  raise SecurityError unless current_user.try(:admin?)
end

and rescue from that exception in ApplicationController (or you can actually redirect inside the authenticate_admin_user! method)

rescue_from SecurityError do |exception|
  redirect_to root_url
end

And one more small thing, if you don't have admin_users, then it would be nice to change this line in config/initializers/active_admin.rb:

config.current_user_method = :current_user

And with devise you might want to make the default path different for admin/non-admin users, so you can define after_sign_in_path_for method in the controller

# path for redirection after user sign_in, depending on user role
def after_sign_in_path_for(user)
  user.admin? ? admin_dashboard_path : root_path 
end
alony
  • 10,725
  • 3
  • 39
  • 46
  • This seems like a good solution, bu current_user seems unavailable within the ApplicationController... Can't I put it somewhere else? – Jasper Kennis Feb 23 '12 at 16:18
  • mm controller is actually the place where it is used the most. So what problem do you have, it returns nil or NoMethodError? – alony Feb 23 '12 at 16:36
  • It returns nil; `undefined method 'admin?' for nil:NilClass`. I DID define the .admin? method, so that's not it. I found several cases of current_user not being available in the ApplicationControlller, it seems you're not supposed to acces it from there. – Jasper Kennis Feb 23 '12 at 16:40
  • D'oh, obviously when not logged in, no active_user is present xD So authenticate_admin_user should read `!current_user.nil? and current_user.admin?`. Getting there now. – Jasper Kennis Feb 23 '12 at 17:09
  • yep, you are right. And tried the code, returning true/false did not work for me, so changed it to the exceptions system (edited the answer for both this issue and current_user is nil case) – alony Feb 23 '12 at 17:24
  • Also, the custom authentication method shouldn't return true or false, but handle the redirection. – Jasper Kennis Feb 23 '12 at 17:27
  • 2
    Your answer is very good, thanks a lot! I really like the SecurityError handling way of doing this! – Jasper Kennis Feb 23 '12 at 18:26
0

For "Normal" users you should write separate logic to login to the site or maybe I did not understand why you want to allow users to login through the active admin. Active admin using devise, just create another model called User.

zolter
  • 7,070
  • 3
  • 37
  • 51
  • No that's not what I want to do, since admin users should be able to use the front part of the site too. I believe it's good practice to have only one user model. – Jasper Kennis Feb 23 '12 at 15:57