To add a devise user on a Heroku site we combine two commands
Command 1: With devise a person can enter the following into their rails console to create a user:
User.new(:email => "firstname.lastname@example.org", :password => 'password', :password_confirmation => 'password')
Command 2: To run commands in the Heroku terminal, simply go into local directory of the corresponding app and type
heroku run [whatever you want to run]
So if we put those together we get the following, assuming that your user model is in fact called
- Change your directory to your app:
- Enter into the rails console on Heroku with the following:
heroku run rails c
- Run the create user code:
U=User.new(:email => "email@example.com", :password => 'password', :password_confirmation => 'password')
- Then finally U.save
Finally, if you want to do this for a separate admin model, simply replace
User in the instructions above with
Admin (provided of course that’s what your separate admin model is called; if not adjust accordingly).
That’s it! You should be good to go!
There seems to be very little written about this in the Rails literature out there, so I thought I’d make a contribution. There’s very much posted about using authorization management gems like CanCan (which is well and good) but for those of us creating a small basic app, such gems are overkill. It’s also worth using a filter just to get an understanding of what’s going on if you’re new to rails (like me!)
To create a stupid-simple authorization system that makes sure that only admins and the owner of a post can edit that post.
- You are using the devise gem and have set it up
- You have created an Admin model (Option 1 in the Devise Wiki)
(It’s really short)
To only allow admins and users that own the given post edit authorization, put the following in your post controller:
before_filter :require_permission, only: [:edit, :update, :destroy]
if current_user != Post.find(params[:id]).user
redirect_to :root, notice: "Access Denied."
(Do make your indentation better than the code above; I’m up against wordpress’s auto-correct and don’t feel like fighting with it)
Anyway, that’s it!
So why? Let’s start with the top
- We’re adding a method, called require_permission which we are defining below to the methods edit, update and destroy. Meaning any users engaging these methods must fit the requirements outlined in require_permission
- Next we define require_permission and say that if the current user is NOT the user on file for the given post… proceed.
- Then we check if the session user is an admin or, more accurately, if the user is NOT the admin (note the exclamation point). Because user and admin are two different models, devise has defined two different sets of very similar methods when referring to either one. Check them out here. It helps clarify things.
- Finally we add the redirect to the homepage with an ominous “ACCESS DENIED” message at the top.
So to recap, if the user is not the owner of the post AND not signed into the admin model, they get booted back to the homepage. Otherwise, they can do whatever they want to the post.
I’ve been using the Devise gem for a couple apps in my recent exploration of Ruby on Rails. It works pretty well and has a lot of great features but the documentation on how to best go about setting up administrators on it is a bit vague. I would write up some notes on how to do it but I’d basically be plagiarizing another post on the matter which really cleared things up for me. Check it out: http://jonallured.com/2011/04/30/using-devise-for-admin-accounts.html