Using except with filter access to all for Declarative Authorization

One of the problems with using Declarative Authorization for controlling access to controller methods in your Ruby on Rails application is that the function filter_access_to does not have an except or skip option. This means that if you have five methods in your controller and only want to protect four of them you have to list them specifically, which can become a bit tedious.

However, the workaround is quite easy and quite logical. In your authorization_rules.rb file you simply add the method you want to skip authorization on to the guest role. There are of course other way and patterns to do this as well, but it seems like a quite common question to want to use the following pattern.

# This is not supported by Declarative Authorization since it simply does not have an except option.
filter_access_to :all, except => [:show]

Read the full details on filter_access_to

Here is a full example of an easy and maintainable workaround

# Example controller
class ExampleController < ApplicationController
  filter_access_to :all

  def index

  def show

  def new

  def create

  def edit

  def update

# authorization_rules.rb
authorization do
  role :guest do
      has_permission_on :exampel, to => [:show]

  role :user do
      has_permission_on :example, to => [:index, :new, :create, :edit, :update]
      # or as an alternative and maybe more speaking for this example
      has_permission_on :example, to => :all

This will allow everyone to access your show method and only users to access all the other methods without specifically listing all the methods in your controller you want to protect after filter_access_to.

comments powered by Disqus