StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POShould I skip authorization, with CanCan, of an action that instantiates a resource?
primarykey
Id
2831720
data
AcceptedAnswerId
2835188
AnswerCount
2
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2010-05-14T03:45:32.173
FavoriteCount
1
LastActivityDate
2010-05-14T15:06:35.323
LastEditDate
2010-05-14T12:32:53.983
LastEditorUserId
340407
OwnerUserId
340407
ParentId
0
PostTypeId
1
Score
0
ViewCount
3933
LastEditorDisplayName
text
Body
I am writing a web app to pick random lists of cards from larger, complete sets of cards. I have a Card model and a CardSet model. Both models have a full RESTful set of 7 actions (:index, :new, :show, etc). The CardSetsController has an extra action for creating random sets: <code>:random</code>. <pre><code># app/models/card_set.rb class CardSet < ActiveRecord::Base belongs_to :creator, :class_name => "User" has_many :memberships has_many :cards, :through => :memberships # app/models/card.rb class Card < ActiveRecord::Base belongs_to :creator, :class_name => "User" has_many :memberships has_many :card_sets, :through => :memberships </code></pre> I have added Devise for authentication and CanCan for authorizations. I have users with an 'editor' role. Editors are allowed to create new CardSets. Guest users (Users who have not logged in) can only use the <code>:index</code> and <code>:show</code> actions. These authorizations are working as designed. Editors can currently use both the <code>:random</code> and the <code>:new</code> actions without any problems. Guest users, as expected, cannot. <pre><code># app/controllers/card_sets_controller.rb class CardSetsController < ApplicationController before_filter :authenticate_user!, :except => [:show, :index] load_and_authorize_resource </code></pre> I want to allow guest users to use the <code>:random</code> action, but not the <code>:new</code> action. In other words, they can see new random sets, but not save them. The "Save" button on the <code>:random</code> action's view is hidden (as designed) from the guest users. The problem is, the first thing the <code>:random</code> action does is build a new instance of the CardSet model to fill out the view. When cancan tries to <code>load_and_authorize_resource</code> a new CardSet, it throws a CanCan::AccessDenied exception. Therefore, the view never loads and the guest user is served a "You need to sign in or sign up before continuing" message. <pre><code># app/controllers/card_sets_controllers.rb def random @card_set = CardSet.new( :name => "New Set of 10", :set_type => "Set of 10" ) </code></pre> I realize that I can tell <code>load_and_authorize_resource</code> to skip the <code>:random</code> action by passing <code>:except => :random</code> to the call, but that just feels "wrong" for some reason. What's the "right" way to do this? Should I create the new random set without instantiating a new CardSet? Should I go ahead and add the exception? <h2>Update</h2> I didn't include my Ability class above. I've updated it to include the ':random' action, but it still isn't working quite right. <pre><code>class Ability include CanCan::Ability def initialize( user ) user ||= User.new # User hasn't logged in if user.admin? can :manage, :all if user.admin? else # All users, including guests: can :read, [Card, CardSet] can :random, CardSet # All users, except guests: can :create, [Card, CardSet] unless user.role.nil? can :update, [Card, CardSet] do |c| c.try( :creator ) == user || user.editor? end if user.editor? can [:create, :update], [Card, CardSet] end end end end </code></pre>
Tags
<ruby-on-rails><cancan>
Title
Should I skip authorization, with CanCan, of an action that instantiates a resource?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USirkenInvader
UserOwnerUserId
1. USirkenInvader
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POShould I skip authorization, with CanCan, of an action that instantiates a resource?
 UserUserId
 USArman Ortega
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.