Secure the editor
In the Maglev Rails engine, we managed to avoid relying on any specific authentication system such as Devise.
The counter part is this is now up to the developer installing Maglev to let Maglev know if the current user of his application has the rights to access the Editor UI.
There are 2 major UI parts in Maglev: the Editor UI and the Admin UI. Those 2 parts don't require the same authentication mechanism.
You, as the developer, can pick one of the 2 ways of verifying whether the current user of the main application is allowed or not to access the Editor UI.
- either you pass the name of a method globally available
- or you pass a Proc that will be executed in the context of the Maglev::EditorUI controller which inherits not directly from the ApplicationController class of the main application.
config/initializers/maglev.rb
Maglev.configure do |c|
...
# config.is_authenticated = :editor_allowed? # name of any protected method from your Rails application controller
# config.is_authenticated = ->(site) { current_user&.role == 'editor' }
...
end
Both of those 2 solutions take the Maglev site as the first argument and they must return a boolean.
If false is returned, Maglev will raise an exception that the ApplicationController can rescue from like in the following example:
app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
rescue_from Maglev::Errors::NotAuthorized, with: :unauthorized_maglev
private
def unauthorized_maglev
flash[:error] = "You're not authorized to access the Maglev editor!"
redirect_to sign_in_user_path # use your own url
end
end
For simple projects, installing a gem like Devise can be a little cumbersome. So, here is a very simple way to still protect the editor UI.
First, modify your Maglev config file:
config/initializers/maglev.rb
Maglev.configure do |configure|
...
config.is_authenticated = :authenticate_maglev_editor
config.back_action = ->(site) { redirect_to 'https://www.nocoffee.fr', status: 401 }
...
end
The final step is to modify the ApplicationController of your main Rails application:
app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
...
protected
def authenticate_maglev_editor(site)
http_basic_authenticate_or_request_with(
name: ENV.fetch('MAGLEV_EDITOR_USERNAME'),
password: ENV.fetch('MAGLEV_EDITOR_PASSWORD'),
)
end
end
Of course, you will have to set 2 new ENV variables in your project:
MAGLEV_EDITOR_USERNAME
and MAGLEV_EDITOR_PASSWORD
.By default, the Admin UI is available without any credentials in the development and test environments.
In production, it will require an username and password that can defined in the Maglev config file like this:
config/initializers/maglev.rb
Maglev.configure do |c|
...
# Admin UI authentication (https://docs.maglev.dev/guides/authentication)
config.admin_username = Rails.env.production? ? ENV.fetch('MAGLEV_ADMIN_USERNAME') : nil
config.admin_password = Rails.env.production? ? ENV.fetch('MAGLEV_ADMIN_PASSWORD') : nil
...
end
Last modified 1yr ago