Rails active_admin : How to restrict admin_user to change other admin_users' passwords?
Question
I have the following on my active_admin, which is just a default for admin_user model. This allows all the admin_users to change all other admin_users' passwords. Does anybody know how I can restrict admin_users from changing passwords of others?
ActiveAdmin.register AdminUser do
index do
column :email
column :current_sign_in_at
column :last_sign_in_at
column :sign_in_count
default_actions
end
filter :email
form do |f|
f.inputs "Admin Details" do
f.input :email
f.input :password
f.input :password_confirmation
end
f.actions
end
end
2 answers
solution1
0 2013-03-05 10:21:58
I am not sure. But You can give a try,
ActiveAdmin.register AdminUser do
actions :all, :except => [:new]
controller do
def action_methods
if current_admin_user.role?(AdminUser::ADMIN_ROLE)
super
else
super - ['edit', 'destroy']
end
end
end
end
solution2
0 ACCPTED 2013-03-05 14:06:20
Another way to go might be to remove the password and password_confirmation fields from this form and create a "change password" action or maybe even a "my account" page where you can change your password.
A third way might be to only show the password fields when you're editing "yourself", like so:
ActiveAdmin.register AdminUser do
index do
column :email
column :current_sign_in_at
column :last_sign_in_at
column :sign_in_count
default_actions
end
filter :email
form do |f|
f.inputs "Admin Details" do
f.input :email
if(f.object == current_admin_user)
f.input :password
f.input :password_confirmation
end
end
f.actions
end
end
Untested, but it should work.
Update If you want one specific user to be able to update all other users' passwords like you suggest in the comment to your question, you could consider this:
form do |f|
f.inputs "Admin Details" do
f.input :email
if(current_admin_user.is_super_admin?)
f.input :password
f.input :password_confirmation
end
end
f.actions
end
The is_super_admin? could refer to a boolean value is_super_admin or could be a method in your model depending on a role field:
# role :string(255)
class AdminUser < ActiveRecord::Base
ROLES = ['normal', 'super']
SUPER_ROLE = 'super'
def is_super_admin?
role == SUPER_ROLE
end
end
Update 2 You will indeed also want to prevent users from altering the post parameters to change others' passwords. Again, there's option 1 , doing it in the controller. I have only shallow knowledge of ActiveAdmin, so maybe there's a better way, but this should work:
ActiveAdmin.register AdminUser do
controller do
def create
params.delete(:password)
params.delete(:password_confirmation)
super
end
end
end
Another (more elegant) solution would be to make sure your AdminUsers' passwords can't be changed through mass assignment. That kind of logic would go into the model:
class AdminUser < ActiveRecord::Base
attr_accessible :login, :name, :email # .. and everything else you need to be able to edit through a normal form, but NOT password and password_confirmation
end
Then you will probably want to create your own change_password method where individual users can change their passwords. In the controller action saving that form, you would then do something like this:
def submit_change_password
@admin_user = current_admin_user
@admin_user.password = params[:password]
@admin_user.password_confirmation = params[:password_confirmation]
if @admin_user.save
..
else
..
end
end
This way they will only be able to change their own passwords.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.