So, I have a nested controller in a project I'm converting to rails 4.2. using the head master. I have a before_filter configured to load up the model for the create action.. However.. due to the ordering of the before filters, that gets run AFTER the permissions are being checked.
filter_resource_access :nested_in => :commentable
before_filter :new_comment_from_params, :only => :create
```ruby
And I can't put it before, as it relies on Decl auth running the load_parent_controller_object / load_commentable
```ruby
def load_commentable
@commentable = find_polymorphic
end
def new_comment_from_params
@comment = @commentable.comments.build (comment_params).merge(author: current_user)
end
This creates a lovely catch-22 problem in the code. IMHO in the "Strong parameters" case decl auth should handle the :create before filter and either.
only check for new_{model}_from_params OR have a default implementation that expects {model}_params to handle the strong parameters logic.
So, I have a nested controller in a project I'm converting to rails 4.2. using the head master. I have a before_filter configured to load up the model for the create action.. However.. due to the ordering of the before filters, that gets run AFTER the permissions are being checked.
This creates a lovely catch-22 problem in the code. IMHO in the "Strong parameters" case decl auth should handle the :create before filter and either. only check for new_{model}_from_params OR have a default implementation that expects {model}_params to handle the strong parameters logic.