search

chaps-io / access-granted

Multi-role and whitelist based authorization gem for Rails (and not only Rails!)
MIT License
774 stars 41 forks source link

Able to access protected controller actions #36

Closed hippobyte closed 7 years ago

hippobyte commented 7 years ago

This means that you define what the user can do, which results in clean, readable policies regardless of application complexity. You don't have to worry about juggling cans and cannots in a very convoluted way!

Based on the README, my understanding is that access to controller actions should raise an error if not specified in access_policy.rb. That doesn't seem to be the case in my example. I am setting current_user when User has not logged in yet and assigning a role = 'locked'.

Based on access_policy.rb, a user with a role of 'locked' should only be able to read from one specific action, however, in my example the user is allowed to perform any action, it appears that the application_policy is not being applied to this new user, not sure why.

Yes, I am specifying authorize! in each controller action.

application_controller.rb

def current_user
  super || User.new
end

user.rb

after_initialize :set_default_role, :if => :new_record?

def set_default_role   
  self.role ||= 'locked'
end

access_policy.rb

class AccessPolicy
  include AccessGranted::Policy

  def configure

    role :superhero do
      can :manage, Company
      can :index, Company
      can :manage, Event
    end

    role :admin do
      can :manage, User
      can :manage, App
      can :manage, Event
    end

    role :member do
      can :index, App
      can :index, User
      can :index, Event
    end

    role :locked do
      can :read, @page
    end

  end
end
hippobyte commented 7 years ago

My mistake, I didn't include the matcher.

role :locked, { role: 'locked' } do
  can :read, @page
end
pokonski commented 7 years ago

Glad you got it sorted :+1: