1

So I am implementing cancancan into all my models so that both reads and access to each attribute in a model must be authorised

for write operations I can use before_save and before_create but I need something that works for reading data.

My plan is to write some code in ApplicationRecord that would then work for all models with the goal to prevent user from accessing any data they don't have specific privileges for.

While I know there are solutions at the controller level I need the extra security at the model level

Eyeslandic
  • 14,553
  • 13
  • 41
  • 54
Simon
  • 723
  • 8
  • 14
  • `after_initialize` should work for you. And (of course) you'll need to ensure that the model has access to `current_user`for both your `after_initialize` and your `before_save` methods. See this answer for more info... https://stackoverflow.com/questions/1568218/rails-access-to-current-user-from-within-a-model-in-ruby-on-rails – SteveTurczyn May 07 '21 at 17:13

1 Answers1

1

There are callbacks for after_find and after_initialize, but if you want to have it before executing the select query, here is something you can try.

There are few methods being used in the ActiveRecord gem, you just need to override those and have your verification done using cancancan gem.

Here is the pseudo code of what I'm trying to suggest here. Let me know if you need exact code that fix the issue.

class ApplicationRecord
  class << self
    %i[find_with_ids where find_take_with_limit find_nth find_nth_with_limit].each do |attribute|
      define_method :"#{attribute}" do
        super if can_access?
      end
    end

    def can_access?
      can :read, self
    end
  end
end
E_net4
  • 27,810
  • 13
  • 101
  • 139
Hiren Bhalani
  • 848
  • 9
  • 17