Authorize before sending and receiving data

lib/action_cable/channel/base.rb

@@ -35,8 +35,16 @@ def initialize(connection, channel_identifier, params = {})
         subscribe
       end
 
-      def receive(data)
-        raise "Not implemented"
+      def receive_data(data)
+        if authorized?
+          if respond_to?(:receive)
+            receive(data)
+          else
+            logger.error "[ActionCable] #{self.class.name} received data (#{data}) but #{self.class.name}#receive callback is not defined"
+          end
+        else
+          unauthorized
+        end
       end
 
       def subscribe
@@ -52,6 +60,15 @@ def unsubscribe
       end
 
       protected
+        # Override in subclasses
+        def authorized?
+          true
+        end
+
+        def unauthorized
+          logger.error "[ActionCable] Unauthorized access to #{self.class.name}"
+        end
+
         def connect
           # Override in subclasses
         end
@@ -61,7 +78,11 @@ def disconnect
         end
 
         def broadcast(data)
-          connection.broadcast({ identifier: @channel_identifier, message: data }.to_json)
+          if authorized?
+            connection.broadcast({ identifier: @channel_identifier, message: data }.to_json)
+          else
+            unauthorized
+          end
         end
 
         def start_periodic_timers
@@ -80,6 +101,10 @@ def worker_pool
           connection.worker_pool
         end
 
+        def logger
+          connection.logger
+        end
+
     end
 
   end

lib/action_cable/server.rb

@@ -106,7 +106,7 @@ def subscribe_channel(data)
 
       def process_message(message)
         if @subscriptions[message['identifier']]
-          @subscriptions[message['identifier']].receive(ActiveSupport::JSON.decode message['data'])
+          @subscriptions[message['identifier']].receive_data(ActiveSupport::JSON.decode message['data'])
         else
           logger.error "Unable to process message: #{message}"
         end