More Rails Features

Flashcard 6 of 8

We want to protect our admin pages, ensuring that only admins can access them. We've been using filter methods in our controllers, but this has been forgotten a few times. Is there a higher level we can implement this authorization check at to protect all of our admin pages?

We can use a routing constraint which control visibility at the routing level and can wrap all of our admin routes. [Clearance][] provides routing constraints for SignedIn and SignedOut users, but these can be further customized by passing them a block which will receive the current_user instance.

admin_constraint =
  Clearance::Constraints::SignedIn.new(&:admin?)

constraints admin_constraint do
  namespace :admin do
    resources :users
    resources :projects do
      resources :milestones
    end
  end
end

You can see a real usage of this in [Upcase's admin routes][].

You can read more about advance routing constraints in the [Advanced Routing Constraints][] section of the Rails routing guide.

In addition, you can read about [Clearance's routing constraints][] to see more detail on how they work.

[Advanced Routing Constraints]: http://guides.rubyonrails.org/routing.html#advanced-constraints [Clearance's routing constraints]: https://github.com/thoughtbot/clearance#access-control [Upcase's admin routes]: https://github.com/thoughtbot/upcase/blob/6e3c292891422e2c163430f485863bafa772a68d/config/routes/admin.rb [Clearance]: https://github.com/thoughtbot/clearance

Return to Flashcard Results