How to limit /jobs routes to admins (using devise and/or pundit for example)?

[jpwynn]

Since one presumably would never want just any member of the public to be able to access the /jobs and /job/:id routes, what is the best practice for limiting access to admins when using either devise or pundit?

I was successfully able to override the controller as shown below by placing a copy of the controller in app/controllers/devise/web/jobs_controller.rb and verified with a couple of puts statements that THIS controller is being invoked.

But I cannot see how to apply authorization logic.

Using the usual Devise approach I tried before_action :authenticate_admin! but that gave an undefined symbol error. As did the usual Pundit approach after_filter :verify_authorized

I also tried inserting a

redirect_to my_app_home_path and return if !current_admin

but it does not redirect (it does recognize the value of current_admin , but the redirect "out" to the main app's routes doesn't happen

 class Delayed::Web::JobsController < Delayed::Web::ApplicationController
      # WHAT GOES HERE?
      # error, undefined, for devise:   before_action :authenticate_admin!
      # error, undefined, for pundit:   after_filter :verify_authorized
   def queue
     ...
   end

   ...

[tatey]

Hey @jpwynn. Delayed::Web is a Rails engine that is isolated from your app. The most straight forward way to authorise the right person is to use Rails' router constraints, or inject your own piece of middleware into the engine. There's an example in the README.