Authority has had two new features for Rails controllers, added recently by Igor Davydov.
Preventing “forgot to authorize” errors
First, we have a new controller method,
ensure_authorization_performed. This sets up an
after_filter to raise an exception if the action completes without having any authorization run.
This should be a handy tool in development mode for making sure you haven’t forgotten any actions. Igor borrowed the idea from CanCan’s
check_authorization method, but Authority’s implementation is a bit more flexible, allowing you to roll your own skippable filters if you like.
Shorthand for nested resources
Second, for times when you want to authorize all actions in a controller the same way, we now have an
all_actions key. This could be handy for nested resources. As the README says: you might say “you’re allowed to do anything you like with an employee if you’re allowed to update their organization”.
class EmployeesController < ApplicationController authorize_actions_for :parent_resource, all_actions: :update private def parent_resource Employer.find(params[:employer_id]) end end
Both features are now documented in the README and in the CHANGELOG file.