require_owner code to limit controller actions not recognizing current user as owner

Posted by bgadoci on Stack Overflow See other posts from Stack Overflow or by bgadoci
Published on 2010-05-20T04:04:06Z Indexed on 2010/05/20 4:10 UTC
Read the original article Hit count: 273

I am trying to restrict access to certain actions using a before_filter which seems easy enough. Somehow the ApplicationController is not recognizing that the current_user is the owner of the user edit action. When I take the filter off the controller correctly routes the current_user to their edit view information. Here is the code.

Link to call edit action from user controller (views/questions/index.html.erb):

<%= link_to "Edit Profile", edit_user_path(:current) %>

ApplicationController (I am only posting the code that I think is affecting this but can post the whole thing if needed).

 class ApplicationController < ActionController::Base

    def require_owner
          obj = instance_variable_get("@#{controller_name.singularize.camelize.underscore}") # LineItem becomes @line_item
          return true if current_user_is_owner?(obj)
          render_error_message("You must be the #{controller_name.singularize.camelize} owner to access this page", root_url)
          return false
        end
 end

and the before_filter

class UsersController < ApplicationController

before_filter :require_owner, :only => [:edit, :update, :destroy]

#...

end

I simply get the rendering of the error message from the ApplicationController#require_owner action.

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about ruby