In a project we built, we are using que for doing our background-jobs, and there is a very simple (but sufficient) and clean web-ui, called que-web, allowing us to monitor the status of the jobs online.
And normally, you just include it in your project by adding the gem, and then adding the following to your config/routes.rb :
require "que/web"
mount Que::Web => "/que"
But, this is completely open and unauthenticated. So we use devise, and it is really easy to limit a route to authenticated users:
require "que/web"
authenticate :user do
mount Que::Web => "/que"
end
At least this limits the accessability to logged in users. But we wanted it to be available only to admin-users. So I thought I had to resort to defining my own constraint-class, as follows
class CanSeeQueConstraint
def matches?(request)
# determine if current user is allowed to see que
end
end
and in the routes write it as follows
require 'can_see_que_constraint'
mount Que::Web, at: '/que', constraints: CanSeeQueConstraint.new
The problem was: how do I get to the current user, in a constraint class? So I took a peek at how the authenticate block in devise works, and apparently there is an easier option: the authenticate block takes a lambda, where you can test the currently authenticated user. Woah! Just what we need. So we wrote the following to only allow our adminstrators to see/manage our background jobs:
authenticate :user, lambda {|u| u.roles.include?("admin") } do
mount Que::Web, at: 'que'
end
Comments
My god - you saved me a HUGE headache. It took forever to find this blog post, but it is really helpful! I'm trying to use redis-browser, and I don't want random people to start messing with my redis ;D Thanks so much.
Add comment