devise_invitable: Only allow admin to invite users

StackOverflow https://stackoverflow.com/questions/14175961

Question

I am using devise_invitable gem to enable invites in my app along with devise for a rails 3 app. I have a User & Profile model. In User, there is a role column which gives type of user.

Now, I would like to restrict feature of creating new invites only to admin by scoping this scoping route to devise/invitations#new where user.role=='admin' & open rest of the routes to everybody. something like this

MyApp::Application.routes.draw do

devise_for :users, skip: [:registrations, :invitations]

as :user do
 get 'users/edit' => 'devise/registrations#edit', as: 'edit_user_registration'
  put 'users' => 'devise/registrations#update', as: 'user_registration'

# manually define alll devise_invitable routes, except devise/invitations#new

# accept_user_invitation GET /users/invitation/accept(.:format) devise/invitations#edit

# user_invitation POST /users/invitation(.:format) devise/invitations#create

# also the #accept route goes here

end



resource :profile, except: :destroy

authenticated :user, lambda {|u| u.role == "admin"} do

resources :user, controller: "user"

#only allow admin to invite other users

# new_user_invitation GET /users/invitation/new(.:format) devise/invitations#new

end

root to: 'profiles#show'

end

Possible? Also, what the the better ways to do the same thing?

Was it helpful?

Solution 2

What about leaving the standard routes alone and using a before_filter in the Invitations controller to check for admin status only for the new and create actions?

class Devise::InvitationsController < DeviseController
    ...
    before_filter :is_admin?, :only => [:new, :create]
    ...
end

It looks like the devise_invitable gem actually uses this method internally as well:

class Devise::InvitationsController < DeviseController
    before_filter :authenticate_inviter!, :only => [:new, :create]
    before_filter :has_invitations_left?, :only => [:create]
    before_filter :require_no_authentication, :only => [:edit, :update]
    ...
end

According to their Readme:

To change the controller’s behavior, create a controller that inherits from Devise::InvitationsController. The available methods are: new, create, edit, and update. You should read the original controllers source before editing any of these actions.

I would just copy their default controller and try adding my own custom is_admin? before_filter in there for the new and create actions. Of course you'll also have to define the is_admin? method that the before filter calls.

OTHER TIPS

One simple way is just overwrite the authenticate_inviter! method in side of ApplicationController as follow:

class ApplicationController < ActionController::Base
  ...
  private
  def authenticate_inviter!
    unless user.role=='admin'
      redirect_to root_url, :alert => "Access Denied"
    end
    super
  end
  ...
end

And include DeviseInvitable::Inviter module into your User model:

class User < ActiveRecord::Base
  ...
  include DeviseInvitable::Inviter
  ...
end
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top