Ruby on Rails authorization exemple

index.html.erb

# app/views/users/index.html.erb
<h1>Liste des utilisateurs</h1>
<ul>
  <% @users.each do |user| %>
    <li><%= user.id %></li>
  <% end %>
</ul>

routes.rb

# config/routes.rb
Rails.application.routes.draw do
  get 'users' => 'users#index'
  get 'users/home' => 'users#home'
  get 'users/login' => 'users#login'
  delete 'users/login' => 'users#logout'
  post 'users/login' => 'users#check'
end

users_controller.rb

# app/controllers/users_controller.rb
class UsersController < ApplicationController
  def index
    if @current_user.try(:role) != "admin"
      flash[:error] = "Accès interdit"
      return redirect_to request.referrer || "/users/home"
    end
    @users = User.all
  end

  def home
  end

  def login
  end

  def check
    @current_user = User.where(name: params[:name], password: params[:password]).first
    if @current_user
      session[:user_id] = @current_user.id
      flash[:info] = "Vous êtes maintenant connecté"
      redirect_to "/users/home"
    else
      session[:user_id] = nil
      flash[:info] = "Échec de la connexion"
      redirect_to "/users/login"
    end
  end
end