cancan skip_authorization_check for Devise authentication

Question

Because anyone can sign up and then log in,... and because a user isn\'t identified for roles until after log in, doesn\'t it make sense to skip authorization_check for Devise?<

Answer 1

The easy solution

check_authorization :unless => :devise_controller?

If you have to put check_authorization in every controller manually at some point you will forget and open a security hole in your app. It's better to explicitly whitelist controllers that don't need auth by cancan.

This is made clear in the CANCAN docs at

https://github.com/ryanb/cancan/wiki/Ensure-Authorization

EDIT

class ApplicationController < ActionController::Base
  check_authorization :unless => :do_not_check_authorization?
  private
  def do_not_check_authorization?
    respond_to?(:devise_controller?) or
    condition_one? or
    condition_two?
  end

  def condition_one?
   ...
  end

  def condition_two?
   ...
  end
end