Skip to main content

New Users Only Created by Admin User

Gems / Libraries • Asked by Michael Stitt

I'm building an internal app for my company that contains data from various sources (e.g. web analytics, server logs, etc.). It's hosted on an EC2 instance with a DNS of "reports.example.com". Right now I have a security group on AWS that limits access to just my work IP Address, however, I'd like to be able to login from my phone and look at certain pages/reports.

In order to do that I'll have to force users to login, which I'm already doing (I'm using Devise for authentication and Pundit for authorization).

class ApplicationController < ActionController::Base
  before_action :authenticate_user!
  ...
end

However, if I remove the IP constriction a random person can still find the URL and sign up. So, my question is how do I make it so that only I (or any admin) can create a new user, and then when they login for the first time they are prompted to create a new password?

I'm planning on building a building a page (/admin/users) that lists each user and allows me to activate/deactivate the account, as well as add a new user to the system.

I guess I'm just curious how to limit the registration of new users unless an admin creates it. Any advice is appreciated!


I'd suggest removing the :registerable option from the Devise User. That will remove all the registration functionality and you can replace it by adding in the devise_invitable gem. This is just a plugin to allow you to create accounts with only an email and send an email invitation for the user to accept and set their password. You can add additional fields in (like Name) to be populated either when you send or when they set their password.

That should do the trick for you and then you'll have nothing but a "Sign In" section on the site. That should do the trick if you want to expose this publicly.

The other idea is to make everyone connect through a VPN, but that's always a hassle.


The devise_invitable gem was exactly what I was looking for! Thanks for the recommendation.


I had no idea about devise_invitable. This is awesome. In the past I removed :registerable and created a match route to 404 signup requests like so:

match 'users/sign_up' => redirect('/404.html')

Hackish but it works. But I think Chris' suggestion is better.


Login or Create An Account to join the conversation.

Subscribe to the newsletter

Join 24,647+ developers who get early access to new screencasts, articles, guides, updates, and more.

    By clicking this button, you agree to the GoRails Terms of Service and Privacy Policy.

    More of a social being? We're also on Twitter and YouTube.