More from Martin Sojka

Fetching notifications on click while showing pulsating placeholders with htmx and hyperscript on Rails Post like / unlike with htmx on Rails - partial replacement, server-side rendering Accepting nested attributes in Ruby on Rails Search users as you type in Ruby on Rails with htmx

RSS

Authorization concerns for models and controllers in Ruby on Rails

501 views

0 comments

                  module Authorizer
  extend ActiveSupport::Concern
  
  private
  
  def authorize!(object, method=nil)
    defaults = {
      :index   => :readable_by?,
      :show    => :readable_by?,
      :new     => :creatable_by?,
      :create  => :creatable_by?,
      :edit    => :editable_by?,
      :update  => :editable_by?,
      :destroy => :deletable_by?
    }
    method ||= defaults[action_name.to_sym]
    raise Member::NotAuthorized unless current_member
    raise Member::NotAuthorized unless object.send(method, current_member)
  end

  def not_authorized
    redirect_to(root_path, alert: 'Not authorized.')
  end
end

                  include Authorizer
rescue_from Member::NotAuthorized, with: :not_authorized

                  include Authorized::Post

                  def new
  authorize!(Post)
  @post = current_member.posts.build
end

def create
  authorize!(Post)
  @post = current_member.posts.build(post_params)
  ...
end

def edit
  authorize!(@collection)
end

def update
  authorize!(@collection)
  ...
end

                  module Authorized::Collection
  extend ActiveSupport::Concern

  module ClassMethods
  	def creatable_by?(member)
  	  member && member.status == 'approved'
  	end
  end

  def editable_by?(member)
    member.is_admin? or
  	  (author == member and member.status == 'approved')
  end

  def deletable_by?(member)
    member.is_admin? or
  	  (author == member and member.status == 'approved')
  end
end

Martin Sojka

More from Martin Sojka

Authorization concerns for models and controllers in Ruby on Rails

0 Comments

More from Martin Sojka