Two New Features in Authority

Posted on: October 4, 2013

Authority has had two new features for Rails controllers, added recently by Igor Davydov.

Preventing “forgot to authorize” errors

First, we have a new controller method, ensure_authorization_performed. This sets up an after_filter to raise an exception if the action completes without having any authorization run.

This should be a handy tool in development mode for making sure you haven’t forgotten any actions. Igor borrowed the idea from CanCan’s check_authorization method, but Authority’s implementation is a bit more flexible, allowing you to roll your own skippable filters if you like.

Shorthand for nested resources

Second, for times when you want to authorize all actions in a controller the same way, we now have an all_actions key. This could be handy for nested resources. As the README says: you might say “you’re allowed to do anything you like with an employee if you’re allowed to update their organization”.

class EmployeesController < ApplicationController
  authorize_actions_for :parent_resource, all_actions: :update
  private
  def parent_resource
    Employer.find(params[:employer_id])
  end
end

Both features are now documented in the README and in the CHANGELOG file.