New To Rails, and Trestle - how to restrict access to a view to admin users

[VinylVault]

Hi All,

Please forgive what is probably a n00bs question, being raised as an issue, but I can't find the info I seek by googling or reading through the docs.

I want to limit the access to a particular page to admin users only. The script is to import data - naturally general visitors I dont want to be able to do this (although strictly speaking there will be no issue if they did apart from if many tried, it would become a DDOS - long running script)

I have trestle-auth installed and working - and have created the MVC for the import

Hope I've given enough info for help, if not, let me know and i will add more

Thanks for Help
Rich

[spohlenz]

This is definitely a valid question -- the docs and authorization functionality are still somewhat lacking.

To accomplish this today however, I would suggest using a before_action within your Trestle admin/resource. This works pretty much the same as before_action within a Rails controller (see https://guides.rubyonrails.org/action_controller_overview.html#filters).

Here's an example that should be fairly close to your situation.

Trestle.resource(:articles) do
  before_action only: :import do
    unless current_user.admin?
      flash[:error] = "Administrator access required."
      redirect_to Trestle.config.path
    end
  end
end

Note that this won't automatically remove any buttons you have added (or built-ins), so you will need wrap them in some similar if statements.

[leotrieu]

current_user.admin? doesn't work with Devise and Rails 6.0.0.rc1

I installed trestle-auth and Devise and when I went to the admin pages, it was looking at the Users table (from Devise) instead of the Administrator table (from trestle-auth).

Is there any solution for this?
Thank you!

[frenkel]

I know this is an old issue, please close it if this has been resolved or has become irrelevant for you.

current_user.admin? is checking whether the admin attribute on your User model is true. If you don't have that, it won't work. If you're using something like administrator you should use current_user.administrator?.