I found this example Ruby on rails app showcasing devise gem and it's use with roles.
In the readme they mention that:
an ordinary user can’t change their role
an ordinary user can see (and edit) their own user profile
However, looking at the users controller
class UsersController < ApplicationController
before_action :authenticate_user!
before_action :admin_only, :except => :show
def show
@user = User.find(params[:id])
unless current_user.admin?
unless @user == current_user
redirect_to root_path, :alert => "Access denied."
end
end
end
def update
@user = User.find(params[:id])
if @user.update_attributes(secure_params)
redirect_to users_path, :notice => "User updated."
else
redirect_to users_path, :alert => "Unable to update user."
end
end
def admin_only
unless current_user.admin?
redirect_to root_path, :alert => "Access denied."
end
end
def secure_params
params.require(:user).permit(:role)
end
end
We can see that all actions are allowed only for admin users, except show, where the current signed in user is being tested if he is the @user we are trying to fetch/show. That makes sense for this part of the readme "an ordinary user can see their own user profile".
What I don't get is, the readme says user can also edit their own profile, but the update action is only allowed to be executed by admin user (and event then, the admin is able to only change user's role? permit(:role)).
I suggest following a more up-to-date guide on this sort of thing: https://altalogy.com/blog/rails-6-user-accounts-with-3-types-of-roles/
The repo you linked was last updated 4 years ago. I attempted to pull down the repo and test it locally for these points you raised and I ran into way too many issues trying to do so. Look elsewhere for guidance on this.
Edit: I did take a look through the code though and I'm not entirely sure how this app does what the README says it does.