I'm using devise and cancan in a Rails 3.2 project. I have an event model with a boolean flag public. If the event is marked as public => true then I want anybody, signed in or not to be able to access the record with
GET /events/:id
If it is marked as public => false then a series of cancan abilities will decide authorization and access to the above resource.
What is the best pattern for achieving this?
You can do that by skip the authenticate_user! in case of you have this args
skip_before_filter :authenticate_user!, :only => :show, :if => lambda {
if params[:id]
@event = Event.find(params[:id])
@event and @event.public?
else
false
end
}
No, do not skip authentication. You want to skip authorization. A better solution would be to explicitly authorize events with public => true.
In your cancan ability class:
can :read, Event do |e|
some_other_authorization_boolean || e.public?
end
This ability would be given to all users; even ones that are not logged in.
来源:https://stackoverflow.com/questions/9573353/what-is-the-best-way-to-bypass-devise-authorization-for-a-specific-record-marked