[英]Administrate Gem On Heroku
I have followed a tutorial on how to install The Administrate Gem which is an alternative for ActiveAdmin in Ruby on Rails , It's working fine in development and production (Heroku) but the only concern is when i go to www.myherokuapp.com/admin i go there without asking for a password. 我遵循了有关如何安装Administrate Gem的教程,这是Ruby on Rails中ActiveAdmin的替代方法,它在开发和生产(Heroku)中都运行良好,但唯一的问题是当我访问www.myherokuapp.com/admin时去那里不要求输入密码。 I even did that with another computer.
我什至用另一台电脑做到了。 Did anyone had this issue before ?
以前有人遇到过这个问题吗? Here's my user dashboar file
这是我的用户仪表板文件
dashboard/users_dashboard 仪表板/ users_dashboard
require "administrate/base_dashboard"
class UserDashboard < Administrate::BaseDashboard
# ATTRIBUTE_TYPES
# a hash that describes the type of each of the model's fields.
#
# Each different type represents an Administrate::Field object,
# which determines how the attribute is displayed
# on pages throughout the dashboard.
ATTRIBUTE_TYPES = {
posts: Field::HasMany,
reviews: Field::HasMany,
id: Field::Number,
email: Field::String,
encrypted_password: Field::String,
reset_password_token: Field::String,
reset_password_sent_at: Field::DateTime,
remember_created_at: Field::DateTime,
sign_in_count: Field::Number,
current_sign_in_at: Field::DateTime,
last_sign_in_at: Field::DateTime,
current_sign_in_ip: Field::String,
last_sign_in_ip: Field::String,
created_at: Field::DateTime,
updated_at: Field::DateTime,
name: Field::String,
password: PasswordField,
password_confirmation: PasswordField
}
# COLLECTION_ATTRIBUTES
# an array of attributes that will be displayed on the model's index page.
#
# By default, it's limited to four items to reduce clutter on index pages.
# Feel free to add, remove, or rearrange items.
COLLECTION_ATTRIBUTES = [
:posts,
:reviews,
:id,
:email,
]
# SHOW_PAGE_ATTRIBUTES
# an array of attributes that will be displayed on the model's show page.
SHOW_PAGE_ATTRIBUTES = ATTRIBUTE_TYPES.keys
# FORM_ATTRIBUTES
# an array of attributes that will be displayed
# on the model's form (`new` and `edit`) pages.
FORM_ATTRIBUTES = [
:posts,
:reviews,
:email,
:password,
:password_confirmation,
# :encrypted_password,
# :reset_password_token,
# :reset_password_sent_at,
# :remember_created_at,
# :sign_in_count,
# :current_sign_in_at,
# :last_sign_in_at,
:current_sign_in_ip,
:last_sign_in_ip,
:name,
]
# Overwrite this method to customize how users are displayed
# across all pages of the admin dashboard.
#
# def display_resource(user)
# "User ##{user.id}"
# end
end
As suggested by the authors , the easiest way to secure your admin page is basic HTTP authentication: 正如作者所建议的那样,保护您的管理页面最简单的方法是基本的HTTP身份验证:
class Admin::ApplicationController < Administrate::ApplicationController
http_basic_authenticate_with name: "name", password: "supersecretpassword"
end
Make sure you don't put your name and password in your source if it's public. 确保您未在公共信息源中输入名称和密码。 Use environment vars (using dotenv below) instead:
使用环境变量(在下面使用dotenv )代替:
class Admin::ApplicationController < Administrate::ApplicationController
http_basic_authenticate_with name: ENV.fetch("ADMIN_NAME"), password: ENV.fetch("ADMIN_PASSWORD")
end
In your Admin::ApplicationController
you should implement the authenticate_admin
method. 在您的
Admin::ApplicationController
您应该实现authenticate_admin
方法。 So for example you could redirect your user if they're not an admin. 因此,例如,如果用户不是管理员,则可以重定向用户。 For more info, you can check the docs .
有关更多信息,您可以检查docs 。
def authenticate_admin
redirect_to root_path unless current_user.admin?
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.