I have a Group resource that I'm trying to set up with proper authorizations.
The authorization logic I'm trying to implement is this:
- Only group members should be able to view their group.
- An admin can view any group, as well as take other actions.
I'm attempting to do this with the following before_filter statements in the group controller:
before_filter :signed_in_user
before_filter :correct_user, only: :show
before_filter :admin_user, only: [:show, :index, :edit, :update, :destroy]
Correct_user works as I have verified that only group members can view their group. However, what I want to happen is for the admin :show clause to override this, so that an admin can view any group. Currently that is not working. I'm guessing I have something wrong here with my filter ordering and options.
Can someone tell me where I've gone wrong?
EDIT
Adding my method code per Amar's request:
private
def correct_user
# User has to be a member to view
@group = Group.find(params[:id])
redirect_to(root_path) if @group.members.find_by_member_id(current_user).nil?
end
def admin_user
redirect_to(root_path) unless current_user.admin?
end
Update the correct_user method or create another method with the following definition, remove show from other filter and add before_filter with new method.