Authorization and authentication
By default Lolita do not restrict any acccess to any parts of it.
To enable authentication you need to set user classes and authentication method (see Lolita Setup for details). When this is done, than in each request, Lolita will call method that is set in authentication_method. User classes are used to detect wich is active user, adding priority is important (first in first out). But this is important only when there is more than one user class. But this is only used in views for email and logout button etc.
Easiest way to implement authorization is to use Devise.
By default all accesses to resources are authorized. If you want to restrict access to resources you can add CanCan to your application. Once your application have authorization, then all request are authenticated and also liks in views, like edit, New resource and destroy need authorization as well. Lolita have interation with CanCan, but you can define methods
- current_ability
- can?
- cannot?
- authorize!
in your application and use your own logic. For details see lib/lolita/controllers/authorization_helpers.rb
To add custom authorization with cancan you need to create cancan's ability config file in app/models/ability.rb default location or somewhere else if you like. Then add config.authorization = "CanCan" in config/initializers/lolita.rb and modify config.user_classes or config.authentication if needed as described above. Restart server and it should work.