Skip to content

Loading…

Provide a skip_authorization_check within controller actions #833

Open
KieranP opened this Issue · 3 comments

3 participants

@KieranP

Use case for JS applications:

def show
  if @post = Post.find_by_id(params[:id])
    authorize! :show, @post
    render :status => 200, :text => '...'
  else
    skip_authorization_check
    render :status => 500, :text => '...'
  end
end

Currently, in place of skip_authorization_check I'm having to put @_authorized = true, which is a bit of a hack, but works well.

@grrowl

You can define this in your ability.rb instead, usually with no change to controller code necessary:

    can :create, User # everyone can sign up
    can :manage, User, :id => user.id unless user.nil? # manage your own account
    cannot :index, User # prevent index action on UsersController

If you don't use load_and_authorize_resource in your controller, it will check on authorize! instead. In this case, instead of skip_authorization_check in your posted code, call authorize! :index, @post instead

@KieranP

I think the point was missed. No authorization should take place unless the object is found. If the object isn't found, then it should return an error regardless if authorize! has been called.

The simplest thing here is just making skip_authorization_check both a controller class method and a private instance method.

@mikegee

I don't understand the use case. Why not switch find_by_id to find and allow the 404?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.