Guy Sopher Guy Sopher - 5 months ago 12
Ruby Question

Why can't I deauthorize Rack-mini-profiler for non admin users

I am trying to install Rack-mini-profiler on my ROR application.
I installed the gem and the profiler works great in development but I can't deauthorize specific requests for non admin users.
I placed the following code in my ApplicationController before_filter

def authorize_mini_profiler
if current_user.nil?
Rack::MiniProfiler.deauthorize_request
return
elsif is_admin_user
Rack::MiniProfiler.authorize_request
return
end
Rack::MiniProfiler.deauthorize_request
end


In debug I saw that the deauthorize method is called but the profiler is still displayed.

I even tried using this code

def authorize_mini_profiler
Rack::MiniProfiler.deauthorize_request
end


but still, every request by any user displays the profiler.

Does anyone knows what might be the problem?

Answer

Well, for those who run into the same problem...

Deeper debugging found that the gem is configured for ignoring the authorization mechanism on init. In order to enable profiling only on some cases (e.g. non production or only for admin users) you need to override the default configuration in application.rb (or preferably some specific config file):

Rack::MiniProfiler.config.authorization_mode = :whitelist if Rails.env.production?

otherwise the configuration is set to :allowall

Comments