devise_masquerade icon indicating copy to clipboard operation
devise_masquerade copied to clipboard
verified publisher icon oivoodoo

CanCan example in README causes back action to not be authorized

Open mvz opened this issue 5 years ago • 1 comments

The example in the README for using CanCan suggests the following:

      def masquerade_authorize!
        authorize!(:masquerade, User)
      end

However, the masquerade_authorize! method is also called before the back action. In that case, however, the current user is the unprivileged user, so reverting the masquerade is denied.

mvz avatar May 20 '20 09:05 mvz

It looks like the Pundit example gives a possible solution:

      def masquerade_authorize!
        authorize!(:masquerade, User) unless params[:action] == 'back'
      end

mvz avatar May 20 '20 09:05 mvz