Skip to content

Authorizing Controller Actions

ryanb edited this page · 1 revision

You can use the load_and_authorize_resource method in your controller to load the resource into an instance variable and authorize it for each of the 7 RESTful actions.

class CommentsController < ActionController::Base

This is the same as calling load_resource and authorize_resource because they are two separate steps and you can choose to use one or the other.

class CommentsController < ActionController::Base

This will set up a before filter for every action in the controller. For the new or create action it will build it with[:comment]). Otherwise it will do Comment.find(params[:id]) if that :id param exists.

Next it will authorize the resource by passing the controller action and @comment instance into the authorize! check. If the instance doesn't exist (such as on the index action) the Comment class will be used.

The resource will only be loaded into an instance variable if it hasn't been already. This allows you to easily override how the loading happens in a separate before_filter.

class BooksController < ApplicationController
  before_filter :find_book_by_permalink, :only => :show


  def find_book_by_permalink
    @book = Book.find_by_permalink!(params[:id])

Here the @book instance variable is already set so it will not be loaded for that action, only authorized. Alternatively you can use the :find_by option to do this.

load_and_authorize_resource :find_by => :permalink

For additional information see the load_resource and authorize_resource methods in the RDoc.

Also see Nested Resources and Non RESTful Controllers.

Something went wrong with that request. Please try again.