Welcome to my next blog post. This post will deal with the topics of authorization and validations. First let’s deal with authorization. When we create and app, we don’t necessarily want every user to be able to do certain things within the app. For example, we might not want a user to have the abilty to delete or edit the contents of the app. To safeguard against this, we have the concept of authorization. Basically, we want to give a specific user or users administrative rights. Those users will have full access to the app, while non-administrative users will have more restricted access.
This post assumes you have already set up authentication for users in your app. Authentication allows a user to sign up, log in and log out of an app. A good tutorial for how to do this can be found here:
To get started, we must add an attribute to our users table called “admin”. As discussed in my previous post, we would do this by creating a migration called something along the lines of “AddAdminToUser” and add the following code to the migration file:
add_column :users, :admin, :boolean, default: false
Boolean denotes the type of attribute and means it can either be true or false. Furthermore, we have set a default value of false to this attribute. So, whenever a new user is created, they will automatically NOT have administrative rights. We will have to manually change this to true for anyone we want to be an administrator. This makes the app much more secure.
Next, we must go into the application_contoller.rb file located in the app/contollers folder. Here we must define a method called authenticate_admin! We do this by writing the following code at the top of the file:
redirect_to"/login" unless current_user && current_user.admin?
We put the method in this file bcause we want all the contollers of our app to have access to it. Basically, this method is saying that unless a user is signed in and has administrative rights, redirect them back to the login page if they try to access a page you have deemed restricted.
Now, at the top of the contoller page for a specific aspect of your app (continuing with our example from the previous post that would be products_controller.rb located in the same folder as the application_controller.rb file) we can write code which would restrict a user’s access to certain methods in the controller. At the top of the file we could write the following code:
before_action :authenticate_admin!, only: [:new, :create]
Breaking this down, “before_action” designates code that should be run first (before certain other code is run). Next, “authenticate_admin!” indicates the method which should be run first (in this example, it is the method we created above). Finally, “only: [:new, :create]” specifies which methods in the products_controller.rb file we want to have restricted access. All the other methods in this file, will not require administrative rights.
Instead of the above, we could also write code such as the following:
before_action :authenticate_admin!, except: [:index, :show]
This would restrict access to all the methods in the file EXCEPT the ones designated (in this case, “index” and “show”). How you write the code is case specific and depends upon how many methods you want to have restricted access. For example, if your file contains many methods which you want restricted, it would be easier and shorter to use the “except” convention.
Don’t be suprised by some mischievous or malicious user who has completely altered your app. Now you can make your app more secure with administrator rights!