Using cancancan's check_authorization with devise with custom controllers?
Question
TL;DR (full question below)
cancan comes with check_authorization which lets you know if you forgot to add authorisation to any part of your app. Essentially, I just want to know if it's necessary to add authorisation to the 'devise' part of an app - or does devise do everything it needs to out of the box? (ie it would be extremely bad if one user could change another user's password, for example! - does that need to be prevented via cancan, or does devise ensure that already out of the box?)
Full question
I have devise and cancancan set up, everything seems to work.
When I added check_authorization , everything continued to work, except logging in and out doesn't work any more
CanCan::AuthorizationNotPerformed in Devise::SessionsController#destroy
This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check.
Extracted source (around line #266):
264
265
266
267
268
269
next if options[:unless] && controller.send(options[:unless])
raise AuthorizationNotPerformed,
'This action failed the check_authorization because it does not authorize_resource. '\
'Add skip_authorization_check to bypass this check.'
end
Curiously, when a user updates their information, that works fine (no error)
Any ideas / pointers greatly appreciated
Also, should I be skip_authorization_check on devise controllers? Although the error message suggests it, it sounds risky
Lastly, I don't exactly know how to access the devise controllers in order to add skip_authorization_check . Here is my directory (using users controllers for devise)
1 answers
solution1
0 2020-12-06 14:28:00
The answer is you don't have to worry about skip_authorization_check on the devise controllers.
And in case you get this error message for any other controllers:
CanCan::AuthorizationNotPerformed (This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check.):
then the solution is to either
- add authorization to that resource (or parts thereof) that require it, OR
- simply skip authorization checks if a resource doesn't require authorization.
Authorization checks can be skipped by adding this to the resource
skip_authorization_check
And you can use only or except like so
skip_authorization_check except: [:index]
and
skip_authorization_check only: [:show, :edit]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.