[openstreetmap/openstreetmap-website] Initial cut at authorization patterns (#1904)

Chris Flipse notifications at github.com
Mon Jun 18 00:40:23 UTC 2018

In theory, this is a fair exemplar of what the controllers will change to, and subsequent controllers can be adapted following this pattern.

For some of the controllers, there will be more work to do, _depending_ on how you want to adjust to this reality:  CanCanCan will not tell you _why_ you have failed authorization, only that you have.  It's inherent in the default-deny style.  Currently before filters are taking away access to something, and they can report _why_ they are taking away the access.  Default-deny can't do that, because instead of taking away access for a reason, you never had it in the first place.

`DiaryEntriesController` addresses this by overriding the `deny_access` handler and essentially replicating the knowledge that `hide` and `hidecomment` _require_ an adminstrator role.  Something simliar would have to be done for missing capabilies, checking against the `granted_capabilities` helper to attempt to produce a nicer denial message.  Note that this is only necessary if you want to provide _specific reasons_ for access refusal.  

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20180617/afbe65aa/attachment.html>

More information about the rails-dev mailing list