We are using grape api in our project. We used cancancan gem for authorization. Now we are thinking to add the check_authorization callback of CanCanCan to the Grape API. This ensures that each and every endpoint does a authorize! call (except if it’s explicitly skipped).
I added check_authorization in ApplicationController. But it seems does not make any impact.
class ApplicationController < ActionController::Base
check_authorization
end
in my resource file
desc 'Get a specific job post'
get ':id' do
job_post =
JobPost.accessible_by(current_ability).find(params[:id)
current_ability.authorize! :show, job_post
present job_post, with: Entities::JobPost
end
So far I understand, if any authorizaton is not declared in api file explicitly, check_authorzation method will triggers and raise cancan access denied. But I don't get any message if I don't authorize in job_post. suppose I comment this line
# current_ability.authorize! :show, job_post
and it should raise unauthorized, if check_authorization is triggered. But it seems application controller is not connected with grape apis.