Skip to content

How To: Define resource actions that require authentication using routes.rb

Jump to bottom Edit New page
Bogdan edited this page May 8, 2015 · 6 revisions

Devise provides a number of useful functions for use in the config/routes.rb file. Check the source code! Some of the most useful are "authenticate", "authenticated", and "unauthenticated".

With "authenticate", it is possible to make resources and routes that will ask for authentication before they can be accessed. Devise will automatically take the user to the page they were attempting to access, once they are logged in. A simple example is here:

authenticate :user do
  resources :fjords, only: [:new, :create, :edit, :update, :destroy]
end
resources :fjords, only: [:index, :show]

Replacing "authenticate" with "authenticated" in the above code causes the resource to simply be unavailable if the user is not authenticated. Replacing "authenticate" with "unauthenticated" allows access to the first list of actions on the controller only if the user is NOT authenticated! It's also possible to alter the URL scheme for particular actions. Imagine you had a very simple site with only admin logins. The following routing file segment would put all the fjord-editing tools on the /admin path:

authenticate :user do
  scope "/admin" do
    resources :fjords, only: [:new, :create, :edit, :update, :destroy]
  end
end
resources :fjords, only: [:index, :show]

The above are both route-aspected ways to restrict access to particular resources. Most commonly documented is using the controller to restrict access to its own actions, which is an alternate but not necessarily better way to design an application. To do this, put the following line near the top of the relevant controller, inside the class file but before the action definitions:

before_action :authenticate_user!, :except => [:show, :index]

Testing route-aspected authentication can be a bit tricky. Another page on this wiki has a good solution: How-To: Controllers tests with Rails 3 and rspec

Relevant to the sort of thing that this wiki article is about: At the time of writing, Devise (Un)Authenticated Routes Are Broken in Rails because Rails 4 router doesn't support identically named routes with conditional logic.

If you want your own URL structure, see: How To: Require authentication for all pages

Getting Started

MIT License. Copyright 2009-2020 Plataformatec.. http://plataformatec.com.br

Add a custom sidebar
Clone this wiki locally