Using Pundit with ActiveAdmin
1
Not solved Solved
6 months ago

I have some trouble about Using Pundit with ActiveAdmin,

Some answer from stackoverflow but nothing work...

the error message is “Admin::DashboardController"

when i add this line to activeadmin.rb file : config.authorizationadapter = ActiveAdmin::PunditAdapter the error message is : "unable to find policy `ActiveAdmin::PagePolicy"

I spent lot of time on it ! any suggestion ?

6 months ago

Hello,

I had the same issue. So, I haven't used Pundit for my active admin path. Are you sure your application.rb looks like this :

 class ApplicationController < ActionController::Base

  # [...]

  before_action :authenticate_user!

  include Pundit

  # Pundit: white-list approach.

  after_action :verify_authorized, except: :index, unless: :skip_pundit?

  after_action :verify_policy_scoped, only: :index, unless: :skip_pundit?


  # Uncomment when you *really understand* Pundit!

  # rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  # def user_not_authorized

  #   flash[:alert] = "You are not authorized to perform this action."

  #   redirect_to(root_path)

  # end

  private
  def skip_pundit?

    devise_controller? || params[:controller] =~ /(^(rails_)?admin)|(^pages$)/

  end

end 
6 months ago

my application controller look like this

class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :nullsession instead. beforefilter :configurepermittedparameters, if: :devise_controller?

protectfromforgery with: :exception

beforeaction :authenticateuser! include Pundit

afteraction :verifyauthorized, except: :index,except: :dashboard, except: :search, unless: :devisecontroller? afteraction :verifypolicyscoped, only: :index, except: :search, unless: :devise_controller?

rescuefrom Pundit::NotAuthorizedError, with: :usernot_authorized

def usernotauthorized flash[:alert] = "You are not authorized to perform this action." redirectto(rootpath) end

def configurepermittedparameters

  #devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:email, :password, :name) }

  devise_parameter_sanitizer.permit(:sign_up) { |u| u.permit(:email, :password, :password_confirmation, :name, :pilote, :picture, :hometown) }

  # devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email, :password, :password_confirmation, :name) }

# deviseparametersanitizer.for(:sign_up) << :user

end

private

def after_sign_in_path_for(resource)
  pages_dashboard_path
end

end

6 months ago

I don't user rails admin but active admin...

6 months ago

when you put "unless: :devisecontroller?", you skip pundit if you go to devise controller (it makes sense because devise already authorize or unauthorize the access of some his pages depending on your status (connected, not, etc.))

you should add an exception for active admin too. Active admin already interacts with devise in order to protect your admin pages.

so like in my example (which is in karr.le-wagon) you should replace " unless: :devisecontroller? " by " unless: :skip_pundit? "

and add

 private
  def skip_pundit?

    devise_controller? || params[:controller] =~ /(^(rails_)?admin)|(^pages$)/

  end

So pundit will not stop if your visitor goes to some devise pages (like login, and sign up), or goes to "/admin" because devise and active admin already does.

6 months ago

ok I gonna try that

6 months ago

but why is it write "rails" instead of "active" in

6 months ago

devisecontroller? || params[:controller] =~ /(^(rails)?admin)|(^pages$)/

6 months ago

I don't use railsadmin but maybe they should use a path like "/railsadmin". In active admin it's "/admin" normally. So it works for both ;)

6 months ago

ok

Cancel
Submit your answer