Multiple before_filter statements for correct_user and admin

pejmanjohn picture pejmanjohn · Apr 14, 2012 · Viewed 10.4k times · Source

I have a Group resource that I'm trying to set up with proper authorizations.

The authorization logic I'm trying to implement is this:

  1. Only group members should be able to view their group.
  2. An admin can view any group, as well as take other actions.

I'm attempting to do this with the following before_filter statements in the group controller:

before_filter :signed_in_user
before_filter :correct_user, only: :show
before_filter :admin_user, only: [:show, :index, :edit, :update, :destroy]

Correct_user works as I have verified that only group members can view their group. However, what I want to happen is for the admin :show clause to override this, so that an admin can view any group. Currently that is not working. I'm guessing I have something wrong here with my filter ordering and options.

Can someone tell me where I've gone wrong?

EDIT

Adding my method code per Amar's request:

private

def correct_user
  # User has to be a member to view
  @group = Group.find(params[:id])
  redirect_to(root_path) if @group.members.find_by_member_id(current_user).nil?
end

def admin_user
  redirect_to(root_path) unless current_user.admin?
end

Answer

Amar picture Amar · Apr 21, 2012

Update the correct_user method or create another method with the following definition, remove show from other filter and add before_filter with new method.

def correct_user
   @group = Group.find(params[:id])
   redirect_to(root_path) if @group.members.find_by_member_id(current_user).nil?  && !current_user.admin?
end