I'm currently changing around how my ActiveAdmin interface works so that it integrates both attr_accessible items and CanCan. In some of my models I have a specific controller action for the Submit button on the form such as
= f.actions do
= f.action :submit, label: 'Update Password'
And in that Update Password method I am able to do the update_attributes(*,as: #admin_user.role.name.to_sym) where #admin_user is the current admin user. This allows only admin users with the permitted role to update their password.
The problem I have is when ActiveAdmin is doing the generic update, specifically
=f.action :submit
How can I pass options to ActiveAdmin so that when it does the update it will use the specified role? I know that the buttons use Formtasti, and that the :label method is part of that, but I can't seem to find anything about using passing other options.
One option for me is to write an override for the edit method in each of my models, but that kinda defeats the purpose of ActiveAdmin, doesn't it?
Now, my CanCan abilities already have been set so that only certain roles can access certain items. Does this override the attr_accessible items? I know that if the item is not attr_accessible, even if it's manageable in CanCan, will not change via mass-assignment.
What I really need to know is that if I were a hacker, could I inject an update_attributes(params[:whatever], as: :admin) and it would block it because of CanCan's Ability? Is it worth it to have both the item be protected via attr_accessibleand CanCan's Ability class?
ActiveAdmin and SimpleForm do not support the as: [role] feature which I was trying to work with. However, this isn't a problem with strong_parameters in Rails 4 since it's a completely different way of handling mass-assignment.
Also, CanCan does block out any mass-assignment hacks since you can't mass-assign unless you have access to the form, and if you don't have explicit :edit, :update, or :manage permission then you don't have access to the form.
Related
Good afternoon. I'm a beginner in Rails and I'm starting this project in college and I need some help. I have users that don't need sign up. I will create all the users. Then, I decided to use the gem ActiveAdmin, and I can add the users through the graphic interface. I thought it would be easy but, after finish the installation, I tried to add some user and I've got a surprise:
I have all those fields created by devise to edit.
http://i.stack.imgur.com/yAK1h.png
I wanna know if there is a way that I can edit only the fields created by me, and those other fields automatically fill, like if I'm creating a new user with devise.
P.S: I wanna just lines to follow, not the entire resolution. I'm really lost rs.
Yes, you can set which inputs you want to appear in your form:
ActiveAdmin.register AdminUser do
form do |f|
f.inputs do
f.input :email
f.input :password
end
f.actions
end
end
The rest of the inputs will be filled by Devise.
Docs for ActiveAdmin form: https://github.com/gregbell/active_admin/blob/master/docs/5-forms.md
Is there a way to load a view for no confirmed users that login?
Default behaviour is to show a notice: " You have to confirm your account before continuing."
I tried
overrule the sessions#create method of devise checking for current_user.confirmed_at.blank?
in the after_singin_path check for current_user.confirmed_at.blank? and render the view instead
My goal is to render a custom view instead of the notice but cannot hook into the right location. Who knows how to accomplish this? thx!
You can simply copy the code from the devise github and place in your controllers/devise. then change any action or method you want to.
You may also just extend the devise session controller and override any action you want to.
class Abc < Devise::SessionsController
# this just reopens the class.
# Remember classes are never "closed" in ruby!
end
I like the ruby way of solving this, I guess that in your UsersController after a POST request the user will be returned and signed in using the sign_in(Object) helper Devise provides.
Also I suggest using a confirmed boolean instead of timestamp.
Why not check for the value using an if else statement the ruby way:
user.confirmed ? sign_in(user) : render :partial => 'path/partial'
Hope this might help you out
I am using devise gem, everything works great, but the problem is after the login the entire user object is rendered. So if I send a json request to login it will return everything that the user object holds, I was able to limit to particular attributes using a rabl file during registration. What I did was just created a create.rabl in the views/devise/registration. But the same thing is not working for login. So how can i limit the resource attributes using devise.
After login, devise redirects, probably to user#show, so create a view file views/users/show.json.rabl that contains the attributes you want to return, for example,
object #users
attributes :id, :name, :email
Check out http://railscasts.com/episodes/322-rabl
I use Devise and right now /users/edit contains only Devise's password change form. I want to add a user settings form.
I am new to Rails, what is the best way to do this?
The view for /users/edit seems to be in /app/views/devise/passwords/edit.html.erb.
The controller for /users/edit is nowhere to be found. How to extract it from Rails's magic so that I can modify it?
The appropriate view is app/views/devise/registrations/edit.html.erb. You dont need controller to add additional fields into the registrations form, even if its a nested form fields of another model. Just make appropriate changes in your User model to save nested associations (accepts_nested_attributes_for), attr_accessible etc.
I'm trying to only allow access to galleries by users who have permission to view them. Galleries have many shared_users through permissions, and vice versa. Galleries also have only one owner. Owners and shared users are both of the User class. This all works fine. The issue that I'm having, however, is with my access filters.
I'm using the following code to see if a user is allowed to see the gallery they are trying to access:
def authenticate_viewers!
if user_signed_in? && current_user.can_view?(#gallery)
return true
end
redirect_to root_url,
:notice => "You must have permission to view this gallery."
return false
end
As you can see, can_view? requires the #gallery that I'm setting up in the show method, but a before_filter won't let you access the attributes set up in the method, since it resolves before the method executes. Using an after_filter works, as long as an unauthorized user doesn't try to view the gallery. If it does, I get a DoubleRender error, since after_filter allows the page to render, then tries to redirect.
I just thought that I could perhaps use params[:id] instead of #gallery, though I haven't tried it yet, and ultimately this may be more efficient (passing an integer instead of an object). In any case, is there a way to make my current code work? or is it in my best interest to switch to using the params (if that's even going to work)?
Wow, okay. It's really helpful just to start writing questions here on SO, because as I do, I typically get a brainstorm of how to solve the problem. Instead of using the #gallery object, I just use a Gallery.find(params[:id]) and everything works like a charm. Thank God I don't have to rewrite all my code.