All threads / New Users Only Created by Admin User

Ask A Question

Notifications

You’re not receiving notifications from this thread.

New Users Only Created by Admin User

Michael Stitt asked in Gems / Libraries

I'm building an internal app for my company that contains data from various sources (e.g. web analytics, server logs, etc.). It's hosted on an EC2 instance with a DNS of "reports.example.com". Right now I have a security group on AWS that limits access to just my work IP Address, however, I'd like to be able to login from my phone and look at certain pages/reports.

In order to do that I'll have to force users to login, which I'm already doing (I'm using Devise for authentication and Pundit for authorization).

class ApplicationController < ActionController::Base
  before_action :authenticate_user!
  ...
end

However, if I remove the IP constriction a random person can still find the URL and sign up. So, my question is how do I make it so that only I (or any admin) can create a new user, and then when they login for the first time they are prompted to create a new password?

I'm planning on building a building a page (/admin/users) that lists each user and allows me to activate/deactivate the account, as well as add a new user to the system.

I guess I'm just curious how to limit the registration of new users unless an admin creates it. Any advice is appreciated!

I'd suggest removing the :registerable option from the Devise User. That will remove all the registration functionality and you can replace it by adding in the devise_invitable gem. This is just a plugin to allow you to create accounts with only an email and send an email invitation for the user to accept and set their password. You can add additional fields in (like Name) to be populated either when you send or when they set their password.

That should do the trick for you and then you'll have nothing but a "Sign In" section on the site. That should do the trick if you want to expose this publicly.

The other idea is to make everyone connect through a VPN, but that's always a hassle.

The devise_invitable gem was exactly what I was looking for! Thanks for the recommendation.

I had no idea about devise_invitable. This is awesome. In the past I removed :registerable and created a match route to 404 signup requests like so:

match 'users/sign_up' => redirect('/404.html')

Hackish but it works. But I think Chris' suggestion is better.

Join the discussion

Want to stay up-to-date with Ruby on Rails?

Join 33,665+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.

    logo Created with Sketch.

    Ruby on Rails tutorials, guides, and screencasts for web developers learning Ruby, Rails, Javascript, Turbolinks, Stimulus.js, Vue.js, and more. Icons by Icons8

    © 2020 GoRails, LLC. All rights reserved.