0

We get an error with declarative authentication on CREATE and UPDATE's. We are not sure why, as somehow in the error it shows no user being authenticated and somehow the session is getting lost:

`Authorization::NotAuthorized in CartypesController#update

No matching rules found for update for # (roles [:guest], privileges [:update], context :cartypes). `

The role "backoffice" has the rights in the authentication_controller.rb:has_permission_on :cartypes, :to => [:index, :show, :new, :create, :edit, :update, :destroy, :delete]

In stackoverflow there is a similar issue: Link to Stackoverflow Question

We are new to Rails and have tried out this first time, other show and list work fine.. (GET operations)

Any help appreciated... thx.

EDIT: We were able to solve this, as we found out the documentation on "declarative authorization" was not so clear when discussing model security! If you read very carefully, when using model security it is needed to set: ## Heading ##Authorization.current_user to the request’s user (in application_controller.rb). For rails-n00bs it might not be so clear...

Community
  • 1
  • 1
fisco
  • 53
  • 1
  • 5
  • Could you add the information from your comment to the question itself? And could you add the following information: gems you have added (for declarative authentication?), changes to the routes file. – mliebelt Sep 17 '11 at 15:20

1 Answers1

0

Do you include authenticity_token parameter in your request? By default, Rails enforce PUT,POST and DELETE require to have this token to prevent Cross-site request forgery.

If you do not include it, Rails will reset session automatically to prevent the CSRF attack.

Have a look at Understanding the Rails Authenticity Token. Faisal explained it very well.

http://guides.rubyonrails.org/security.html

Community
  • 1
  • 1
datalost
  • 3,505
  • 1
  • 23
  • 32