Custom Routes and Declarative Authorization

Question

Don't know if this has been answered before.

Have custom routes to users. If I access the user directly /users/5 everything works. If I try /profile or even /users/current_user with Declarative Authorization I get "Couldn't find User without an ID"

map.profile "profile", :controller => "users", :action => "show"
map.edit_profile 'profile/edit', :controller => 'users', :action => 'edit', :conditions => { :method => :get }

My ApplicationController has

before_filter { |c| Authorization.current_user = c.current_user }

and my authorization_rules has user.id and also tried current_user.id.

role :user do
    includes :guest
    has_permission_on :users, :to => [:show, :edit ] do
    if_attribute :id => is { user.id }
  end
end

What am I doing wrong?

Answer 1

For custom index type routes use
filter_access_to :all

Rather than
filter_resource_access

got me too.

Answer 2

I use AuthLogic, but as far as I know "current_user" is not going to be accessible through a route.

You would need to check, in the controller, if params[:id] == "current_user" (as a string) and then do some logic based on that... i.e:

if params[:id] == "current_user"
  @user_id = current_user.id
else
  @user_id = params[:id]
end
@user = User.find(@user_id)

A very simplistic example, but it should illustrate the type of logic you're going to need to get the current_user from a custom route. You could also just map a named route for current_user to it's own controller action, but that's not very RESTful and would [most likely] duplicate functionality you already have.