Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Login to other user's account with Devise+Active Admin+Switch User

Tags:

ruby-on-rails-3

devise

activeadmin

I'm trying to implement switch_user gem in my existing rails 3.0.9 application. There are two models on my application, they are

  1. User - for my customer accounts and it has_one Account
  2. AdminUser - This was created by ActiveAdmin

I have already enabled devise authentication for Users and ActiveAdmin also working pretty much well with AdminUser. Now from my Active Admin interface I'd like to select the Accounts and login to those account just like the account owner does. Switch user is working fine but the problem is anyone can simply login to the user accounts now if they know the urls.

http://localhost:3000/switch_user?scope_identifier=user_1

All I need is allow only an AdminUser (i.e if there is an ActiveAdmin session) to access the User's accounts.

This is how my /config/initializers/switch_user.rb looks like

SwitchUser.setup do |config|
  config.controller_guard = lambda { |current_user, request| current_admin_user.nil?}
  config.redirect_path = lambda { |request, params| "/dashboard" }
end

But I get this error 

NameError in SwitchUserController#set_current_user

undefined local variable or method `current_admin_user' for main:Object

Is there anyway I can access the active admin session?

Code for /config/initializers/active_admin.rb

ActiveAdmin.setup do |config|
  config.site_title = "MyAppName"
  config.authentication_method = :authenticate_admin_user!
  config.current_user_method = :current_admin_user
end

btw in my application controller I haven't created any methods for authenticate_admin_user , current_admin_user active admin works fine without them.

like image 994
randika Avatar asked Jan 02 '12 22:01

randika

2 Answers

You need modify local config/initializers/switch_user.rb:

config.controller_guard = lambda { |current_user, request, original_user, controller|
    controller.admin_user_signed_in?
}

Original lambda has 2 arguments. Just append more (up to 4) and use it.

Don't forget restart rails server :)

like image 74
Dmitry Ukolov Avatar answered Sep 18 '22 18:09

Dmitry Ukolov

OK I think I found a solution to secure the switch_user. All I did is moving the routes inside the admin_users scope 

  ActiveAdmin.routes(self)

  devise_for :admin_users, ActiveAdmin::Devise.config do
    match '/admin/switch_user', :controller => 'switch_user', :action => 'set_current_user'
  end
like image 40
randika Avatar answered Sep 19 '22 18:09

randika
Sign in to Comment

Related questions

Gem for push notifications for Android and iOS
Why do I get "cache: [GET /] miss" in production using WebRick?
Using the RSpec before suite hook with a tag
How to implement faster Search As You Type (SAYT) api in Rails 3 application
good unicorn + nginx + cap deploy howto?
Top level constant referenced by warning for Mongoid model
Rails bootstrap-sass redefine/overload mixins
Why in Rails 3, <%= note.html_safe %> and <%= h note.html_safe %> give the same result?
Adding documentation for model scopes in rails
Designing a Rails application: single table inheritance?
How to enter unique associations only?
Get changelogs for all gems included in a Rails project
Rails 3 How can I allow nested attributes to be passed without the _attributes designation
Rails3 nested has_many through question
Carrierwave upload with nested forms?
Using Devise for Two Different Models but the same Login Form
Weird behaviour of ruby regex in rails with utf8 char
How to write a method trailing with a keyword
Rails belongs_to does not set foreign key id with custom class name
Rails 3 - tables in html.erb

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!