Reputation: 54113
Adding authorization to routes
I cannot seem to find a good example for this. I have for example, a TicketController
I define a ticket resource in my routes.rb.
You only need to be logged in as a customer to GET a ticket, but you must be logged in as an administrator to PUT a ticket.
I currently do this at the controller level. I have a before_action for certain controller methods that check if you are logged in as customer or admin.
I'm wondering what the correct way to do this is. I would think ideally I could require certain authorization for specific actions on a specific resource. For example, the ticket resource GET action only needs to be logged in as a customer whereas the PUT action can only happen if you are an admin.
Upvotes: 2
Views: 1888
Answers (2)
Reputation: 1161
Using cancan gem is a common way to manage user authorizations on different resources. You can go through this railscast which covers the basics of using this gem.
Note: Cancan gem is however not updated since long, so would recommend using cancancan, which has similar functionality and syntax, but is actively supported and updated.
Upvotes: 0
Related Questions
- Adding HTTP Basic Authentication to some routes in routes.rb
- How to provide a route for current user in a REST API?
- Adding security on routes in Rails
- Rails RESTful routing with security in mind
- Rails routes and limiting authentication by association
- Rails: How to parameterize access to a RESTful resource?
- Rails routes and authentication?
- confusion with routing
- Custom Routes and Declarative Authorization
- Rails - Seeking a Dry authorization method compatible with various nested resources