Closed ships closed 6 years ago
Great addition, thanks again! I will test the compatibility with my projects to make sure and merge it :)
Would you mind updating the README to describe this feature?
added an example of using this feature to readme. jury still out on my choice of example :)
A solid example, thanks for adding it!
@jraqula this is now released as 1.3.1 :)
hoo rah!
As recommended in your Readme, I have a catch-all for AccessDenied errors that come up from an
authorize!
method.However, this has made all my permissions errors to result in the same error. This is a problem for my API design, because I need to be able to distinguish in a single controller method whether the rejection was "you are not allowed to view this resource" vs "you are not allowed to know whether this resource exists".
There are workarounds to arrange this probably, but they involve diverging from AccessGranted and therefore permissions/access control becomes fragmented.
This PR addresses this by permitting the catch-all to know what action and subject were requested when the error was thrown. In my case, across all subjects I use consistent action names (
:find
rejections always throw 404,:show
always throw 403); this suggests there is room for further work as well in the realm of "inheritance" of actions (i.e., any validation of:show
must first pass a check on:find
), but this is enough to be getting on with.