Closed jpwynn closed 7 years ago
Hey @jpwynn. Delayed::Web
is a Rails engine that is isolated from your app. The most straight forward way to authorise the right person is to use Rails' router constraints, or inject your own piece of middleware into the engine. There's an example in the README.
Since one presumably would never want just any member of the public to be able to access the /jobs and /job/:id routes, what is the best practice for limiting access to admins when using either devise or pundit?
I was successfully able to override the controller as shown below by placing a copy of the controller in app/controllers/devise/web/jobs_controller.rb and verified with a couple of puts statements that THIS controller is being invoked.
But I cannot see how to apply authorization logic.
Using the usual Devise approach I tried before_action :authenticate_admin! but that gave an undefined symbol error. As did the usual Pundit approach after_filter :verify_authorized
I also tried inserting a
redirect_to my_app_home_path and return if !current_admin
but it does not redirect (it does recognize the value of current_admin , but the redirect "out" to the main app's routes doesn't happen