ruby 45 lines · 9 steps

How before_action filters guard a Rails controller

A Rails controller layers authentication, record loading, and ownership checks through ordered before_action filters.

Explained by highlit

Rails Intermediate filters authorization callbacks strong-parameters rest

1class ArticlesController < ApplicationController
before_action :authenticate_user!
before_action :set_article, only: %i[show edit update destroy]
before_action :authorize_owner!, only: %i[edit update destroy]
skip_before_action :authenticate_user!, only: %i[index show]
6 
def index
  @articles = Article.published
end
10 
def show
end
13 
def edit
end
16 
def update
  if @article.update(article_params)
    redirect_to @article, notice: "Article updated."
  else
    render :edit, status: :unprocessable_entity
  end
end
24 
def destroy
  @article.destroy
  redirect_to articles_path, notice: "Article deleted."
end
29 
private
31 
def set_article
  @article = Article.find(params[:id])
end
35 
def authorize_owner!
  return if @article.user == current_user
38 
  redirect_to articles_path, alert: "Not authorized."
end
41 
def article_params
  params.require(:article).permit(:title, :body, :published)
end
45end

01 / 01

STEP 01

Walkthrough

Space play ←→ step click any line

Three takeaways

1before_action filters run in declaration order, so authentication, loading, and authorization stack predictably around each action.
2Scoping filters with only:/skip lets one controller serve public reads and protected writes without per-action conditionals.
3Returning early from an authorization filter and redirecting halts the action chain before the body ever runs.

Related explainers

ruby

require "csv"
 
class SalesReport
  def initialize(path)

Aggregating CSV sales data in Ruby

data-aggregation memoization group_by

Intermediate 6 steps

javascript

'use server'
 
import { revalidatePath } from 'next/cache'
import { redirect } from 'next/navigation'

How a Next.js Server Action updates a post

server-actions authorization validation

Intermediate 7 steps

ruby

module DurationFormatter
  UNITS = [
    ['week', 604_800],
    ['day', 86_400],

Turning seconds into human-readable durations in Ruby

greedy-decomposition modular-arithmetic formatting

Intermediate 7 steps

ruby

class Comment < ApplicationRecord
  belongs_to :post
  belongs_to :author, class_name: "User"

Live-updating comments with Turbo in Rails

turbo-streams callbacks associations

Intermediate 8 steps

ruby

require 'json'
require 'set'
 
class SensitiveScrubber

Recursively scrubbing secrets from JSON

recursion data-masking pattern-matching

Intermediate 7 steps

ruby

class ReportBatcher
  BATCH_SIZE = 500
 
  def initialize(account)

Batching monthly email summaries in Rails

batching service-object background-jobs

Intermediate 7 steps

Share this explainer

Here's the card — post it anywhere.

How before_action filters guard a Rails controller — share card

Made with highlit — turn any snippet into a walkthrough like this in about a minute.

Explain your code

How before_action filters guard a Rails controller

Walkthrough

Related explainers

Aggregating CSV sales data in Ruby

How a Next.js Server Action updates a post

Turning seconds into human-readable durations in Ruby

Live-updating comments with Turbo in Rails

Recursively scrubbing secrets from JSON

Batching monthly email summaries in Rails

Share this explainer

Embed this explainer