I have the following:
class ConversationsController < ApplicationController
before_action :set_conversation_show, only: [:show]
authorize_resource
def show
end
private
def set_conversation_show
@conversation = Conversation.where("sender_id = ?", current_user.id).find_by_id(params.fetch(:id))
end
end
My understanding is that:
- Since a model instance (
@conversation) is set in abefore_action,authorize_resourceshould simply check to see if thecurrent_userhas access to that resource, and if not, deny access.
However, access is allowed....
When I change authorize_resource to load_and_authorize_resource, then access is denied as it should be.
Note: authorize_resource is the same as load_and_authorize_resource except it doesn't assume what what model instance should be loaded, but instead relies on there being one provided via a before_action. (more here).
I prefer to use authorize_resource for that very reason - because it doesn't automatically assume the model instance it is to check permissions against.
So the question is, why isn't the above code working as expected and denying access?
For reference
The relevant ability.rb:
can [:show], [Conversation] do |conversation|
conversation.sender_id == user.id
end