Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Ensure Authorization

ryanb edited this page · 8 revisions

If you want to be certain authorization is not forgotten in some controller action, add check_authorization to your ApplicationController.

class ApplicationController < ActionController::Base
  check_authorization
end

This will add an after_filter to ensure authorization takes place in every inherited controller action. If no authorization happens it will raise a CanCan::AuthorizationNotPerformed exception. You can skip this check by adding skip_authorization_check to that controller. Both of these methods take the same arguments as before_filter so you can exclude certain actions with :only and :except.

class UsersController < ApplicationController
  skip_authorization_check :only => [:new, :create]
  # ...
end

Rails Engines

This can cause issues with Rails Engines such as Devise because authorization will not happen there. The best thing to do is override the engine controller and add skip_authorization_check or perform any other authorization you see fit.

Alternatively you can do something like this, but it is not as clean.

class ApplicationController < ActionController::Base
  check_authorization
  before_filter {|controller| controller.instance_variable_set(:@_authorized, true) if controller.devise_controller? }
end
Something went wrong with that request. Please try again.