Rails Authority gem, trouble with 'show' action

Question

It's the first time I'm using this gem and it's driving me crazy with something as simple as authorize the showaction only for the resource owner.

I tried different ways, configuring the controller mapping and actions, but always get the unauthorized message for show, other actions work as they should.

It seems that showis not getting it's way to the ApplicationAuthorizer.

This is how it's configured:

class EnterpriseAuthorizer < ApplicationAuthorizer
  # This works
  def self.creatable_by?(user)
    user.is_enterpriser?
  end
  # This doesn't
  def readable_by?(user)
    true # Just for testing
  end 
end

class EnterprisesController < ApplicationController
  authorize_actions_for Enterprise
  def show
   @enterprise = Enterprise.find(params[:id])
     respond_to do |format|
      format.html
      format.json { render json: @enterprise }
     end
 end

I have include Authority::UserAbilities in User and include Authority::Abilities in the Enterprise model. And User has_one :enterprise

Any idea? Thinking seriously about rolling back to cancan.

Thanks in advance.

Answer 1

Authority has different ways of checking permissions. For collection-based actions (e.g. new, create, index), you use authorize_actions_for Model.

For instance-based actions (e.g. edit, update, show, delete), you must call authorize_action_for @instance.

Change your code to this and it should work.

class EnterprisesController < ApplicationController
  authorize_actions_for Enterprise
  def show
    @enterprise = Enterprise.find(params[:id])
    authorize_action_for @enterprise
    respond_to do |format|
      format.html
      format.json { render json: @enterprise }
    end
  end
end

If you want a less messy way to do this, put the

@enterprise = Enterprise.find(params[:id])
authorize_action_for @enterprise

into a before filter that's called by each instance action.