Closed tagirahmad closed 2 years ago
Describe the bug
I can't make it possible to authenticate in rails admin only admin users and prohibit to log in "ordinal" users.
My below decision not works correctly. Even if it raises CanCan::AccessDenied, eventually it still logins in as non-admin user as well.
CanCan::AccessDenied
Reproduction steps
I've added such kind configurations:
The User model:
User
class User < ApplicationRecord devise :database_authenticatable, :registerable, :recoverable, :rememberable, :validatable, :trackable enum :role, admin: 'admin', user: 'user' end
User's role field is t.enum :role, enum_type: :user_role, default: "user", null: false
role
t.enum :role, enum_type: :user_role, default: "user", null: false
In routes.rb:
routes.rb
mount RailsAdmin::Engine => '/admin', as: 'rails_admin' devise_for :admins, class_name: 'User'
In rails_admin.rb:
rails_admin.rb
config.authenticate_with do warden.authenticate! scope: :admin end config.current_user_method(&:current_admin) config.authorize_with :cancancan
In ability.rb:
ability.rb
if user.admin? can :access, :rails_admin can :manage, :all else can :authorize end
In application_controller.rb
application_controller.rb
rescue_from CanCan::AccessDenied do |exception| redirect_to main_app.new_admin_session_path, alert: exception.message end
Expected behavior
Allow to authenticate rails_admin only for Users who have role == 'admin' field in database.
role == 'admin'
Additional context
rails
rails_admin
You're mixing up authentication and authorization. Your assumption is wrong, doing something for authorization doesn't change how authorization is performed.
Describe the bug
I can't make it possible to authenticate in rails admin only admin users and prohibit to log in "ordinal" users.
My below decision not works correctly. Even if it raises
CanCan::AccessDenied
, eventually it still logins in as non-admin user as well.Reproduction steps
I've added such kind configurations:
The
User
model:User
'srole
field ist.enum :role, enum_type: :user_role, default: "user", null: false
In
routes.rb
:In
rails_admin.rb
:In
ability.rb
:In
application_controller.rb
Expected behavior
Allow to authenticate rails_admin only for Users who have
role == 'admin'
field in database.Additional context
rails
version: 7.0.3rails_admin
version: 3.1.0.rc2rails_admin
npm package version: 3.1.0-rc2