Why can't I deauthorize Rack-mini-profiler for non admin users

Question

I am trying to install Rack-mini-profiler on my ROR application. I installed the gem and the profiler works great in development but I can't deauthorize specific requests for non admin users. I placed the following code in my ApplicationController before_filter

def authorize_mini_profiler
    if current_user.nil?
      Rack::MiniProfiler.deauthorize_request
      return
    elsif is_admin_user
      Rack::MiniProfiler.authorize_request
      return
    end
    Rack::MiniProfiler.deauthorize_request
end

In debug I saw that the deauthorize method is called but the profiler is still displayed.

I even tried using this code

def authorize_mini_profiler
    Rack::MiniProfiler.deauthorize_request
end

but still, every request by any user displays the profiler.

Does anyone knows what might be the problem?

Answer 1

Well, for those who run into the same problem...

Deeper debugging found that the gem is configured for ignoring the authorization mechanism on init. In order to enable profiling only on some cases (e.g. non production or only for admin users) you need to override the default configuration in application.rb (or preferably some specific config file):

Rack::MiniProfiler.config.authorization_mode = :whitelist if Rails.env.production?

otherwise the configuration is set to :allowall