Why doesn't before_filter work the way I expect with restful-authentication?

Question

My application controller looks like this

class ApplicationController < ActionController::Base
  include AuthenticatedSystem
  helper :all # include all helpers, all the time
  protect_from_forgery # :secret => 'sup3rs3cr3t'
  filter_parameter_logging :password

  # Here's the interesting bit
  before_filter :login_required, :except => [:index, :show, :new]
end

Now I have another controller that looks like this

class CompletelySecretController < ApplicationController

  # the other interesting bit
  before_filter :login_required
  def index
    @secrets = Secret.find(:all)
  end
end

I can still see all of the secrets, despite me stating that a login is required for all actions with

before_filter :login_required

Is it not intuitive to think that the before_filter in the child class overrides the before_filter in the parent class?

Answer 1

before_filter in your subclass doesn't override the same call in the super class, but they stack after each other instead. It is how the chain of filters work. If you want to skip the filter added in your ApplicationController, you can use skip_before_filter method - see "Filter Chain Skipping" section here in the filters documentation.