working on authentication

app/controllers/application_controller.rb

@@ -1,3 +1,3 @@
 class ApplicationController < ActionController::Base
-  protect_from_forgery with: :exception
+  protect_from_forgery with: :exception, prepend: true
 end

app/controllers/schools_controller.rb

@@ -1,11 +1,8 @@
 class SchoolsController < ApplicationController
+  before_action :authenticate_user!, except: [:show]
   before_action :set_school, only: [:admin, :show, :edit, :update, :destroy]
+  before_action :verify_admin, except: [:show, :create, :new]
 
-  # GET /schools
-  # GET /schools.json
-  def index
-    @schools = School.all
-  end
 
   # GET /schools/1
   # GET /schools/1.json
@@ -13,6 +10,9 @@ class SchoolsController < ApplicationController
     @school_categories = @school.school_categories.for_parent_category(@school, nil).sort
   end
 
+  def admin
+  end
+
   # GET /schools/new
   def new
     @school = School.new
@@ -72,4 +72,11 @@ class SchoolsController < ApplicationController
     def school_params
       params.require(:school).permit(:name, :district_id)
     end
+
+    def verify_admin
+      return true if current_user.admin?(@school)
+
+      redirect_to root_path, notice: 'You must be logged in as an admin of that school to access that page.'
+      return false
+    end
 end

app/controllers/users_controller.rb

@@ -0,0 +1,17 @@
+class UsersController < ApplicationController
+
+  def show
+  end
+
+
+  # private
+  #   # Use callbacks to share common setup or constraints between actions.
+  #   def set_district
+  #     @district = District.find(params[:id])
+  #   end
+  #
+  #   # Never trust parameters from the scary internet, only allow the white list through.
+  #   def district_params
+  #     params.require(:district).permit(:name, :state_id)
+  #   end
+end