In Rails, how to have an /admin section, and then controllers within the admin section?
I want to have a /admin section in my application, and have routes within this /admin section like:
www.example.com/admin/ (only certain users have acess to this section)
then have controllers in this section like:
/admin/users/{add, new, etc}
What are m开发者_C百科y options for something like this? (using rails 3)
I prefer to do something similar to Todd's answer but slightly different. Rather than adding the before_filter to each controller related to Admin stuff I prefer to create an AdminController that all controllers related to admin actions can inherit from:
# config/routes.rb
namespace :admin do
resources :users
end
# app/controllers/admin_controller.rb
class AdminController < ApplicationController
before_filter :authorized?
private
def authorized?
unless current_user.has_role? :admin
flash[:error] = "You are not authorized to view that page."
redirect_to root_path
end
end
end
# app/controllers/admin/users_controller.rb
class Admin::UsersController < AdminController
...
end
Do something like this in your routes.rb:
namespace :admin do
resources :users
end
See http://guides.rubyonrails.org/routing.html for more detail.
Then in each admin controller you'll need a before_filter:
before_filter :authorized?
def authorized?
#check if authorized here.
end
As Todd mentioned, you want to add a namespaced route:
namespace :admin do
resources :users
end
You also need to put your controllers, views, etc in subfolders of each of these sections called "admin/". If you're generating this from scratch, it's easy:
rails g controller admin/users
This may seem pretty complicated, but I have an article that walks through all of this, with a sample rails 3 app you can download to play around with it:
Routing in Ruby on Rails 3
Then in each admin controller you'll need a before_filter:
before_filter :authorized? def authorized? #check if authorized here. end
I think it's better if he puts this code into a main AdminController which inherits from ApplicationController, then each admin controller will inherits from this AdminController.
About Rails3, here is a good article about routes
Obviously what Todd said is correct. However if you're a fan of additional security through obscurity, you can also keep your new_admin_user
url helpers and Admin::
namespaced controllers, but provide a less widely-used public url path with the following:
scope :module => "admin", :as => 'admin', :path => 'xyz' do
resources :user
end
A rake route
with that setup will show routes along these lines:
new_admin_user GET /xyz/users/new(.:format) {:controller=>"admin/users", :action=>"new"}
I suppose the only actor this would thwart is an unsophisticated attacker who's crawled and compiled a bunch of Rails sites that provide system access at admin/
, but I don't see any harm in daring to be different with your admin console paths really.
application_controller.rb
before_filter :if_namespace_is_admin?
def if_name_space_is_admin?
#now you should check to see if the namespace is from admin
#now you need namespaces because ruby ns confuse the f'out of me
end
精彩评论