How to restrict a view of a DIFFERENT page to a logged in admin user

[verachell]

Noob here - I've got rails with Trestle and trestle-auth working on a simple tryout app. This question is similar to #21 but a little bit different.

FYI - In case this has any bearing on it, I'm not using the devise gem, I'm doing my authentication via the trestle-auth authenticator.

Here I'm asking how would I restrict a different view (i.e. one that's not in the Admin area / Trestle backend) to a logged in admin user. Here's what I tried so far. I went along the lines the solution of the other issue linked to above. I have a model called label with a labels_controller. I want the view for the labels page to be only visible to a logged in admin user. NOTE: I may be using 'admin' loosely - I mean a Trestle logged-in user.

I did this:

# app/controllers/labels_controller.rb
class LabelsController < ApplicationController
before_action :checkadmin
  def index
  @labels = Label.all
  end
  
  private
  
  def checkadmin
unless current_user.admin?
 redirect_to "/404.html"
 end
  end
  
end

The above resulted in an error
undefined local variable or method `current_user' for #<LabelsController...

I tried changing the line in checkadmin to unless Trestle.current_user.admin? but then it gave me this error
NoMethodError (undefined method `current_user' for Trestle:Module):

Next trying to use current_user in the Trestle admin area

After putting everything back to normal with my labels controller, I tried changing just the labels view in the Trestle admin area simply to test my usage of current_user.admin? (even though I don't actually want to do that in my real app)

# app/admin/labels_admin.rb
Trestle.resource(:labels) do
  menu do
    item :labels, icon: "fa fa-star"
  end

  # Customize the table columns shown on the index view.
  
  if current_user.admin?
   table do
     column :title
     column :created_at, align: :center
     actions
   end
   end

end

When I load the admin page for labels it says:
undefined local variable or method `current_user' for #<Trestle::Resource::Builder:0x00007f88a17fb4e0 @admin=LabelsAdmin, @ controller=LabelsAdmin::AdminController>

I think I must be making some basic error somewhere when testing if the current logged in user is an admin. Would anyone please be willing to point me in the right direction?

[spohlenz]

1. For your first issue (using Trestle authentication from a non-Trestle controller), you'll need to include the trestle-auth authentication concerns, and then add the relevant before_action:

class LabelsController < ApplicationController
  include Trestle::Auth::Controller::Authentication

  before_action :require_authenticated_user
end

This has also revealed a small bug in trestle-auth that I will need to address, which requires a modification to your config/initializers/trestle.rb. For now, add the following line within the configure block:

config.auth.login_url = -> { trestle.login_url }

2. For the second issue, you can't refer to current_user from directly underneath the Trestle.resource definition. Within a form block (and some others) you can, as that is evaluated with the full template context. For a table, you can pass an if or unless option to hide the column for certain users:

table do
  column :title
  column :secret, if: -> { current_user.superuser? }
  column :created_at, align: :center
  actions
end

You'll need to have the relevant custom flag (e.g. admin? or superuser?) added to the User model for this particular example to work.

[verachell]

Thank you for your response, it was extremely helpful. I tried out what you said in the first part of the question and I confirm it worked. Thanks again!

However, I should mention one behavior in the resultant solution that I wasn't sure if it was intentional or not, is that before_action :require_authenticated_user turned out to be unnecessary when include Trestle::Auth::Controller::Authentication is used. The latter plus the setting in config/initializers/trestle.rb of config.auth.login_url = -> { trestle.login_url } was sufficient to make it go to the login page if not already logged in.

To double-check this, I added Trestle::Auth::Controller::Authentication to another of my controllers that handles a different view (a front-facing results page from a search box):

class ResultsController < ApplicationController
include Trestle::Auth::Controller::Authentication
...

When that is included, and without the use of before_action :require_authenticated_user, then when I view the Results page (when not logged into Trestle admin), it forces a redirect to my Trestle login page. Now, this is fine if I want to force authentication on that page as was the case in my original question. In that case there is no problem.

However, what if someone merely want to use trestle-auth on the controller to a front-facing page to access one of the other trestle-auth methods such as logged_in? without automatically redirecting everyone who's not logged in to the Trestle login page? This is more of a rhetorical question from my standpoint, since my original question on this issue has been answered thanks to you. I just wanted to bring it up in case it was relevant to anything.

Thanks again for all your help! I'm so grateful to have a page that is only visible to logged-in Trestle users! My issue has been solved, so you are welcome to close this issue. Being a noob I wasn't sure if the etiquette was that I should close it or you should close it, sorry. Thanks again.

[spohlenz]

However, I should mention one behavior in the resultant solution that I wasn't sure if it was intentional or not, is that before_action :require_authenticated_user turned out to be unnecessary when include Trestle::Auth::Controller::Authentication is used.

Ah, yes you are correct.

However, what if someone merely want to use trestle-auth on the controller to a front-facing page to access one of the other trestle-auth methods such as logged_in? without automatically redirecting everyone who's not logged in to the Trestle login page?

This is definitely a good point. I might rethink where the before_actions are added, so that the module can be more easily reused outside of a Trestle context.