Authentication in partial rendered by broadcast later

I am having a complete brain meltdown in regards to turbo rails. Scenario:

I have a post model that can have comments, a user should be able to edit their own comments. I have a turbo stream-based of the post id so that any comments added to a post are pushed using action cable to each viewer of the post,

Now, I’d like to skip posting the comment to the user adding the post because they already receive the update using the controller.

The problem is that for the author, the added comment should have edit and delete functionality but for the others not (I use cancancan for authentication).

The problem I am facing is that either all users subscribed to the post get to edit/destroy authentication (providing the current user as an actor) or none gets it because the author first gets the partial from the controller (everything works) and then it gets overwritten by the broadcast later job.

What am I missing here? There has to be an acceptable and super easy solution that I am not thinking of.

What you want to do here is to prevent the creator from subscribing to the posts WebSocket channel. If you have setup your connection to track the current_user like specified in the docs you can use that to check if the creator of the post is the current_user and reject the subscription from there. Here’s the docs showing how to reject

That’s exactly what I ended up doing. Turbo makes it so simple I even forgot it is using action cable under the hood.

The cool thing is that when I sorted out the current user identifier in action cable I didn’t have any problems with the access rights missing so I actually don’t need to skip the current user because all the checks are done with the right user.

Thanks for the part with rejection though, I’ll add a todo item for after the release.

1 Like

Sweet I’m glad you were able to resolve this!