The default configuration of Administrate is "authenticate-only" - once a user is authenticated, that user has access to every action of every object.

You can add more fine-grained authorization by overriding methods in the controller.

Using Pundit

If your app already uses Pundit for authorization, you just need to add one line to your Admin::ApplicationController:

include Administrate::Punditize

This will use all the policies from your main app to determine if the current user is able to view a given record or perform a given action.

Further limiting scope

You may want to limit the scope for a given user beyond what they technically have access to see in the main app. For example, a user may have all public records in their scope, but you want to only show their records in the admin interface to reduce confusion.

In this case, you can add an additional resolve_admin to your policy's scope and Administrate will use this instead of the resolve method.

For example:

class PostPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve

    def resolve_admin
      scope.where(owner: user)

Authorization without Pundit

If you use a different authorization library, or you want to roll your own, you just need to override a few methods in your controllers or Admin::ApplicationController. For example:

# Limit the scope of the given resource
def scoped_resource
  super.where(user: current_user)

# Raise an exception if the user is not permitted to access this resource
def authorize_resource(resource)
  raise "Erg!" unless show_action?(params[:action], resource)

# Hide links to actions if the user is not allowed to do them
def show_action?(action, resource)
  current_user.can? action, resource