I have a plugin that adds a model,
server, which has a
user_id field. I want only the owner of the
server to be able to make a
POST (or maybe it should be a
PUT?–the action will do a command-line rebuild of a Discourse instance on their server`; I’m not sure which would be best practice.)
config/routes.rb is this:
post “/upgrade/:id” => “servers#queue_upgrade”, constraints: PfaffmanagerConstraint.new
Is it recommended to have
pfaffmanager_constraint.rb check the
path_parameters[:action] and enforce the permission there or to do it in
Also, I think that what I should really do is move this route under
namespace :user, so perhaps after I figure that out this problem will get solved as part of that, but this almost works, and I’d like to move to having other people try this code.
Rails route has this:
And my controller tries to enforce permissions:
But my spec is getting a 200 when a different user does the
I guess I need to get Ember to pay attention to this somehow?
Can’t you pass a method to
before_action to check your condition?
I think that the permissions need to be enforced in the controller or the constraints. The model doesn’t know who is calling it, I think.
Thanks very much for thinking about this.
I think you need a guardian method to check if a user is allowed to perform a given action. for e.g.
Also, once you do that, you can use
guardian.ensure_can_upgrade_server! method which checks the condition and raises an exception which I think is exactly what you want.
Ooooh! Guardian method! Yes! I’ll look at those! Thanks.
The only model that uses
guardian is the user model. It looks like most of the action with
guardian is in the controllers.
For example, the categories controller uses
ensure_can_create_category, which I think is magically created over in
But for now, I’m not using guardian because I’m having trouble figuring out how to instantiate it properly. I have this in my controller:
And here are specs that test it: