Rails Declarative Authentication fails
We get an error with declarative authentication on CREATE and UPDATE's. We are not sure why, as somehow in the error it shows no user being authenticated and somehow the session is getting lost:
`Authorization::NotAuthorized in CartypesController#update
No matching rules found for update for # (roles [:guest], privileges [:update], context :cartypes). `
The role "backoffice" has the rights in the authentication_controller.rb:has_permission_on :cartypes, :to => [:index, :show, :new, :create, :edi开发者_如何学Got, :update, :destroy, :delete]
In stackoverflow there is a similar issue: Link to Stackoverflow Question
We are new to Rails and have tried out this first time, other show and list work fine.. (GET operations)
Any help appreciated... thx.
EDIT: We were able to solve this, as we found out the documentation on "declarative authorization" was not so clear when discussing model security! If you read very carefully, when using model security it is needed to set: ## Heading ##Authorization.current_user to the request’s user (in application_controller.rb). For rails-n00bs it might not be so clear...
Do you include authenticity_token
parameter in your request? By default, Rails enforce PUT,POST and DELETE require to have this token to prevent Cross-site request forgery.
If you do not include it, Rails will reset session automatically to prevent the CSRF attack.
Have a look at Understanding the Rails Authenticity Token. Faisal explained it very well.
http://guides.rubyonrails.org/security.html
精彩评论