Secure the editor
Last updated
Was this helpful?
Last updated
Was this helpful?
In the Maglev Rails engine, we managed to avoid relying on any specific authentication system such as .
The counter part is this is now up to the developer installing Maglev to let Maglev know if the current user of his application has the rights to access the Editor UI.
There are 2 major UI parts in Maglev: the Editor UI and the Admin UI. Those 2 parts don't require the same authentication mechanism.
You, as the developer, can pick one of the 2 ways of verifying whether the current user of the main application is allowed or not to access the Editor UI.
either you pass the name of a method globally available
or you pass a Proc that will be executed in the context of the Maglev::EditorUI controller which inherits not directly from the ApplicationController class of the main application.
Both of those 2 solutions take the Maglev site as the first argument and they must return a boolean.
If false is returned, Maglev will raise an exception that the ApplicationController can rescue from like in the following example:
For simple projects, installing a gem like Devise can be a little cumbersome. So, here is a very simple way to still protect the editor UI.
First, modify your Maglev config file:
The final step is to modify the ApplicationController of your main Rails application:
By default, the Admin UI is available without any credentials in the development and test environments.
In production, it will require an username and password that can defined in the Maglev config file like this: