Skipping "authorize_resource" or "load_and_authorize_resource" method on inherited controllers

[ghost]

Currently if your controllers inherit from an AdminController and you wish to put the load_and_authorize_resource in that AdminController, skipping that method on specific controllers is challenging. Any thoughts on clean ways to do this? I am still digging into the code an hope to provide some type of patch.

[ryanb]

Currently the before_filter is created using a block which means there's no name attached to it so you can't use skip_before_filter. I'll research this a bit and try to come up with the best solution.

[ryanb]

Currently the before_filter is created using a block which means there's no name attached to it so you can't use skip_before_filter. I'll research this a bit and try to come up with the best solution.

[ryanb]

I did some testing and it doesn't look like it's possible to attach a name to a before filter when a block is used. One option is to internally use a method call instead of a block so skip_before_filter can be used, but the problem with that is if one uses load_and_authorize_resource I'd like them to have the choice if they want to skip the loading or the authorization.

Another option is to create these class methods: skip_load_resource, skip_authorize_resource and skip_load_and_authorize_resource. This way one can choose to skip just the loading if they want. However this does mean I'd have to implement the :only and :except options from scratch. Hmm.

If anyone has any suggestions please let me know.

[ryanb]

I did some testing and it doesn't look like it's possible to attach a name to a before filter when a block is used. One option is to internally use a method call instead of a block so skip_before_filter can be used, but the problem with that is if one uses load_and_authorize_resource I'd like them to have the choice if they want to skip the loading or the authorization.

Another option is to create these class methods: skip_load_resource, skip_authorize_resource and skip_load_and_authorize_resource. This way one can choose to skip just the loading if they want. However this does mean I'd have to implement the :only and :except options from scratch. Hmm.

If anyone has any suggestions please let me know.

[sekrett]

You may use double inheritance. You create one class Admin::BaseController, and another:

class Admin::AuthBaseController < Admin::BaseController
  load_and_authorize_resource
end

Later in your application you decide from which on these two classes to inherit.

Even better to put load_resource in first class and authorize_resource in second.

[sekrett]

You may use double inheritance. You create one class Admin::BaseController, and another:

class Admin::AuthBaseController < Admin::BaseController
  load_and_authorize_resource
end

Later in your application you decide from which on these two classes to inherit.

Even better to put load_resource in first class and authorize_resource in second.

[ghost]

@ryan - You are correct, I realized this after digging more into the code and realized my attempt to use a skip_before_filter was only perceived to be working b/c some other code was preventing the filter from being called. I like the second option you presented - it seems like the most flexible.
@sekrett - Good approach too - I thought of something similar, but I like your naming structure better then what I had ;)

[ghost]

@ryan - You are correct, I realized this after digging more into the code and realized my attempt to use a skip_before_filter was only perceived to be working b/c some other code was preventing the filter from being called. I like the second option you presented - it seems like the most flexible.
@sekrett - Good approach too - I thought of something similar, but I like your naming structure better then what I had ;)

[khoan]

You can always skip user authentication, and set the ability of nil user to be manage all or something to the effect of disabling authorization.

class MyController
  skip_before_filter :authenticate_user!
end

class Ability
  def initialize(user)
    if user.nil?
      can :manage, :all
    end
  end
end

[khoan]

You can always skip user authentication, and set the ability of nil user to be manage all or something to the effect of disabling authorization.

class MyController
  skip_before_filter :authenticate_user!
end

class Ability
  def initialize(user)
    if user.nil?
      can :manage, :all
    end
  end
end

[voxik]

This could be the cure:

before_filter do |controller|
  controller.class.cancan_resource_class.new(controller).load_and_authorize_resource unless controller.class == SomeController
end

[voxik]

This could be the cure:

before_filter do |controller|
  controller.class.cancan_resource_class.new(controller).load_and_authorize_resource unless controller.class == SomeController
end

[incognick]

@voxik - Thanks! This did the trick for me. I only want one location (ApplicationController) where I implement
load_and_authorize_resource
The Devise::SessionsController throws an error otherwise
uninitialized constant Session
Since it's not even getting to the authenticated part, the before_filter in that controller doesn't help. The other options would require changes to all my other controllers as well as new ones.

[incognick]

@voxik - Thanks! This did the trick for me. I only want one location (ApplicationController) where I implement
load_and_authorize_resource
The Devise::SessionsController throws an error otherwise
uninitialized constant Session
Since it's not even getting to the authenticated part, the before_filter in that controller doesn't help. The other options would require changes to all my other controllers as well as new ones.

[ryanb]

adding skip load and authorize behavior - closed by 5732711

[ryanb]

adding skip load and authorize behavior - closed by 5732711

[denispeplin]

I'm not sure it is documented for cancan+devise.

For devise, I have custom controller, so following code works:

class ApplicationController < ActionController::Base
  authorize_resource
  check_authorization
end

class Users::SessionsController < Devise::SessionsController
  skip_authorize_resource
  skip_authorization_check
end

[denispeplin]

I'm not sure it is documented for cancan+devise.

For devise, I have custom controller, so following code works:

class ApplicationController < ActionController::Base
  authorize_resource
  check_authorization
end

class Users::SessionsController < Devise::SessionsController
  skip_authorize_resource
  skip_authorization_check
end

[CarlosLCervantes]

"As of CanCan 1.5 you can use the skip_load_and_authorize_resource, skip_load_resource or skip_authorize_resource methods to skip any of the applied behavior and specify specific actions like in a before filter." - (https://github.com/ryanb/cancan/wiki/authorizing-controller-actions)

[CarlosLCervantes]

"As of CanCan 1.5 you can use the skip_load_and_authorize_resource, skip_load_resource or skip_authorize_resource methods to skip any of the applied behavior and specify specific actions like in a before filter." - (https://github.com/ryanb/cancan/wiki/authorizing-controller-actions)

[sajjadmurtaza]

@incognick Here is also a way.
load_and_authorize_resource :unless => :devise_controller?

[sajjadmurtaza]

@incognick Here is also a way.
load_and_authorize_resource :unless => :devise_controller?