If you have any routes defined that do not fall under the routes automatically defined by Rails with the resources
routes helper (i.e. anything other than index
, show
, new
, create
, edit
, update
, destroy
) you must have an explicit permission configuration defined. This design choice is intended to reduce the risk of accidental exposure of sensitive data by defaulting to having all routes protected. ActiveElement will raise ActiveEleement::UnprotectedRouteError
if an unprotected route is defined.
ActiveElement provides active_element.permit_action
, available in all controllers that inherit from ActiveElement::ApplicationController
.
Use this helper to define a permission that a user must have in order to access a route or, if the route is intended to be available for any signed-in user, specify that it is always permitted.
# app/controllers/application_controller.rb
class ApplicationController < ActiveElement::ApplicationController
prepend_before_action :configure_authentication
private
def configure_authentication
active_element.authenticate_with { authenticate_user! }
active_element.authorize_with { current_user }
end
end
# app/controllers/bookings_controller.rb
class BookingsController < ApplicationController
active_element.permit_action :export_csv, with: 'can_export_bookings_csv'
active_element.permit_action :remaining_tickets, always: true
def export_csv
# ...
end
def remaining_tickets
# ...
end
end
In this example, #export_csv
is only accessible to users with the can_export_bookings_csv
permission, and #remaining_tickets
is always available to any who has passed initial authentication.