Skip to content


Provide a skip_authorization_check within controller actions #833

KieranP opened this Issue · 3 comments

3 participants


Use case for JS applications:

def show
  if @post = Post.find_by_id(params[:id])
    authorize! :show, @post
    render :status => 200, :text => '...'
    render :status => 500, :text => '...'

Currently, in place of skip_authorization_check I'm having to put @_authorized = true, which is a bit of a hack, but works well.


You can define this in your ability.rb instead, usually with no change to controller code necessary:

    can :create, User # everyone can sign up
    can :manage, User, :id => unless user.nil? # manage your own account
    cannot :index, User # prevent index action on UsersController

If you don't use load_and_authorize_resource in your controller, it will check on authorize! instead. In this case, instead of skip_authorization_check in your posted code, call authorize! :index, @post instead


I think the point was missed. No authorization should take place unless the object is found. If the object isn't found, then it should return an error regardless if authorize! has been called.

The simplest thing here is just making skip_authorization_check both a controller class method and a private instance method.


I don't understand the use case. Why not switch find_by_id to find and allow the 404?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.