Last Updated: February 25, 2016
·
636
· Breefield

Declarative Authorization Attribute Check

When you use Declarative Authorization for filtering based on attributes like so:

has_permission_on :gyms, to: [:dashboard] do
  if_attribute user_id: is { user.id }
end

You MUST be sure to set attribute_check on custom actions like so:

filter_access_to :dashboard, :attribute_check: true

As specified in the docs :)

Something like this in a base controller will work for all core routes, but sometimes you need to check attributes on custom actions.

filter_access_to :all
filter_access_to :edit, :update, :show, :attribute_check => true

So just remember, attribute checks won't happen at all, even if defined, if attribute_check is not true.