Skip to content

Ensure Authorization

ryanb edited this page Feb 22, 2011 · 8 revisions

If you want to be certain authorization is not forgotten in some controller action, add check_authorization to your ApplicationController.

class ApplicationController < ActionController::Base

This will add an after_filter to ensure authorization takes place in every inherited controller action. If no authorization happens it will raise a exception. You can skip this check by adding skip_authorization_check to that controller. Both of these methods take the same arguments as before_filter so you can exclude certain actions with :only and :except.

class UsersController < ApplicationController
  skip_authorization_check :only => [:new, :create]
  # ...

Rails Engines

This can cause issues with Rails Engines such as Devise because authorization will not happen there. The best thing to do is override the engine controller and add skip_authorization_check or perform any other authorization you see fit.

Something went wrong with that request. Please try again.