[openstreetmap/openstreetmap-website] Initial cut at authorization patterns (#1904)
notifications at github.com
Mon Jun 18 00:40:23 UTC 2018
In theory, this is a fair exemplar of what the controllers will change to, and subsequent controllers can be adapted following this pattern.
For some of the controllers, there will be more work to do, _depending_ on how you want to adjust to this reality: CanCanCan will not tell you _why_ you have failed authorization, only that you have. It's inherent in the default-deny style. Currently before filters are taking away access to something, and they can report _why_ they are taking away the access. Default-deny can't do that, because instead of taking away access for a reason, you never had it in the first place.
`DiaryEntriesController` addresses this by overriding the `deny_access` handler and essentially replicating the knowledge that `hide` and `hidecomment` _require_ an adminstrator role. Something simliar would have to be done for missing capabilies, checking against the `granted_capabilities` helper to attempt to produce a nicer denial message. Note that this is only necessary if you want to provide _specific reasons_ for access refusal.
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the rails-dev