Allow only one user to be an admin with devise
Question
I`m creating a webpage with rails 6, devise and cancan.
I need an admin role but i do not want to create a separate model instead i added a Boolean column to user is table, but here`s the thing,
If any user sign up then it would be a security concern that any user would grant admin privileges only by changing the value of this column to true.
So i thought perhaps i would remove "admin" from "user_params" but then i would have to make this change from the console which is not good enough.
How i should only grant admin to specific user, my thoughts where i would only allow it for the first user only, or specific email but it feels stupid, there must be a smarter way.
How i get the application to have only one admin who can make any other user admin but only him who can do that and if any normal user signed up, no matter what he ca not manipulate this column in any way?
Best Regards
1 answers
solution1
1 ACCPTED 2019-10-01 09:36:03
- Remove
adminfromuser_paramsin signup controller. You don't want users to become admin just by preparing request. - Introduce third column
super_admin, and grant this role from the console if you have to do it only once. - Create views and controllers only accessible to
super_adminwhere she can updateadminfor all users.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.