I`m creating a webpage with rails 6 , devise and cancan .
I need an admin role but i do not want to create a separate model instead i added a Boolean column to user is table , but here`s the thing ,
If any user sign up then it would be a security concern that any user would grant admin privileges only by changing the value of this column to true .
So i thought perhaps i would remove "admin" from "user_params" but then i would have to make this change from the console which is not good enough.
How i should only grant admin to specific user , my thoughts where i would only allow it for the first user only, or specific email but it feels stupid , there must be a smarter way.
How i get the application to have only one admin who can make any other user admin but only him who can do that and if any normal user signed up , no matter what he ca not manipulate this column in any way?
Best Regards
admin from user_params in signup controller. You don't want users to become admin just by preparing request.super_admin, and grant this role from the console if you have to do it only once.super_admin where she can update admin for all users.