Reputation: 1072
cancancan: authorize_resource gets called to early
I would like to use authorize_resource but not load_and_authorize_resource.
I now have the same issue as this person here. But instead of setting the @model param inside the action I am using a before_action filter:
class ModelsController
before_action :set_model
authorize_resource
def show; end
private
def set_model
@model = Model.find(params[:model_id])
end
end
authorize_resource still checks for Model instead of @model because it is not set. How do I resolve this? I tried changing the order of authorize_resource and the before_action, didn't work. I tried using prepend_before_action, didn't work.
I know that I can use load_and_authorize_resource or check the ability manually with authorize! :show, @model, but that is not what I want.
Is there any way to always execute the before_filter before authorize_resource?
Upvotes: 0
Views: 40
Answers (1)
Reputation: 1072
My issue was that the id_param wasn't called :id, but :model_id instead.
using
authorize_resource id_param: :model_id
fixes the issue. Currently the id_param is not documented.
Upvotes: 0
Related Questions
- Is it possible to use Can? in ActiveAdmin controllers (using cancancan gem)
- Using CanCanCan - I am clearly doing something obviously wrong
- Cancancan not letting right users create, update, or delete -- in weird ways
- CanCanCan throwing ActiveModel::UnknownAttributeError setting non existing attribute
- The index is listing everything, cancancan is not filtering
- Rails, Cancancan, Devise, author
- Rails 4 & CanCanCan - syntax
- CanCanCan: Allowing to manage only users profile