cancan skip_authorization_check for Devise authentication

20
votes

Because anyone can sign up and then log in,... and because a user isn't identified for roles until after log in, doesn't it make sense to skip authorization_check for Devise?

Going on that premise, i inherit from the Devise registration controller with this registrations_controller and placed it in the controller directory.

class Users::RegistrationsController < Devise::RegistrationsController
  skip_authorization_check
end

change to the routes file:

devise_for :users, :controllers => { :registrations => "registrations" }

I'm missing something though:

This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check.

Thanks for your help.

1
ruby-on-rails-3devisecancan
@RyanBigg, when i get past this issue, i'm going to see if your answer to the prior question is the correct one for the app. Thanks.Jay
@Hosemeyer, I need to get past this issue before i can follow your advice in the other question. Thanks for your help.Jay

1 Answers

41
votes

The easy solution

check_authorization :unless => :devise_controller?

If you have to put check_authorization in every controller manually at some point you will forget and open a security hole in your app. It's better to explicitly whitelist controllers that don't need auth by cancan.

This is made clear in the CANCAN docs at

https://github.com/ryanb/cancan/wiki/Ensure-Authorization

EDIT

class ApplicationController < ActionController::Base
  check_authorization :unless => :do_not_check_authorization?
  private
  def do_not_check_authorization?
    respond_to?(:devise_controller?) or
    condition_one? or
    condition_two?
  end

  def condition_one?
   ...
  end

  def condition_two?
   ...
  end
end