Menu
Because anyone can sign up and then log in,... and because a user isn't identified for roles until after log in, doesn't it make sense to skip authorization_check for Devise?
Going on that premise, i inherit from the Devise registration controller with this registrations_controller and placed it in the controller directory.
class Users::RegistrationsController < Devise::RegistrationsController
skip_authorization_check
end
change to the routes file:
devise_for :users, :controllers => { :registrations => "registrations" }
I'm missing something though:
This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check.
Thanks for your help.
573
CanCan is a simple authorization strategy for Rails that is decoupled from user roles. All the permissions are stored in one single location. It is a popular authorization library for Ruby on Rails that restricts user access to specific resources.
CanCanCan is an authorization library for Ruby and Ruby on Rails which restricts what resources a given user is allowed to access.
The easy solution
check_authorization :unless => :devise_controller?
If you have to put check_authorization in every controller manually at some point you will forget and open a security hole in your app. It's better to explicitly whitelist controllers that don't need auth by cancan.
This is made clear in the CANCAN docs at
https://github.com/ryanb/cancan/wiki/Ensure-Authorization
EDIT
class ApplicationController < ActionController::Base
check_authorization :unless => :do_not_check_authorization?
private
def do_not_check_authorization?
respond_to?(:devise_controller?) or
condition_one? or
condition_two?
end
def condition_one?
...
end
def condition_two?
...
end
end
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
