Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.


So I have got an application that has the following authorisation roles:

  • Admin
  • Owner
  • Member
  • Manager

And my application has to serve multiple clients. So each user has a role that is scoped to a particular client. Classic multi-tenant app.

I have this initialiser:

config.authorization_method = { |controller, action, resource| datatable_authorization_method(controller, action, resource) }

And this on my application controller:

  def datatable_authorization_method(controller, action, resource)
    datatable = controller.instance_variable_get(:@datatable)

    return true if datatable.blank? # We are in one of our own controllers; so permissions are handled in BaseController.
    return true if datatable.attributes[:require_role].blank?

    # We are in Effective::DatatablesController
    case datatable.attributes[:require_role]
    when :owner
      return current_user.account_owner?(current_account)
    when :admin
      return current_user.account_admin?(current_account)
    when :manager
      return current_user.account_manager?(current_account)
    when :member
      return current_user.account_member?(current_account)

And I instantiate an effective datatable like this:

def index
    @contracts_table =, account_id:, require_role: :manager)

And it works fine, so far. But I think it is a little bit hacky to have that datatable = controller.instance_variable_get(:@datatable). I was wondering if the @datatable could be one of the arguments that are passed to the authorization_method. So that it would be like this:

config.authorization_method = { |controller, action, resource, datatable| datatable_authorization_method(controller, action, resource, datatable) }

That way I can be confident that it will not break. What do you think? Or if you could suggest a different alternative.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:9 (9 by maintainers)

github_iconTop GitHub Comments

Neriancommented, Nov 17, 2017

I just tried to replicate that scenario. I logged in as an admin and went to a page with a datatable that only a admin should be able to see. Then, in a different tab, I logged in as a member. A member should not be able to see the datatable. I tried making search – ajax query – on the admin table and I got a Can't verify CSRF token authenticity. So the Datatable sends Rails’s CSRF token but fails to validate.

So perhaps the scenario is not possible.

Neriancommented, Nov 18, 2017

Excellent, sounds good 😃


Read more comments on GitHub >

github_iconTop Results From Across the Web

Authorisation Definition & Meaning - Merriam-Webster
The meaning of AUTHORISATION is British spellings of authorization.
Read more >
AUTHORIZATION | English meaning - Cambridge Dictionary
official permission for something to happen, or the act of giving someone official permission to do something: Medical records cannot be ...
Read more >
Authorization - Wikipedia
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general ...
Read more >
Authorise vs. authorize
For the verb meaning to grant authority or to give permission, authorize is the standard spelling in American and Canadian English. Authorise is...
Read more >
Authorisation - Definition, Meaning & Synonyms
noun. official permission or approval. synonyms: authority, authorization, sanction · noun. a document giving an official instruction or command. synonyms: ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found