Pundit authorisation using service objects

Question

The Tools

1. Pundit Authorisation; experimenting with this pull request linked to from the official Pundit README;
2. ActiveInteraction domain service objects ("DSOs");
3. RSpec 2.99.1

** The Project**

The project repo is on Github; what's under scrutiny here is on the pundit-1 branch.

I've followed the Pundit tutorial and gotten authorisation working using "traditional" chubby controllers; see

• the PostsController#new action and its spec;
• the Pundit ApplicationPolicy class; and
• the PostDataPolicy governing authorisation for the Rails model instances of Posts.

All well and good so far. And then we come to the SessionController, whose #new and #destroy actions respectively govern logging in and out..

The current code and spec Work Just Fine using traditional-ish controller logic (see how #new calls private methods that use Pundit to authorise the active (current) user using a SessionDataPolicy.

Then I try to encapsulate that logic within an ActiveInteraction DSO (see the commented-out code in SessionsController#new), and all hell breaks loose.

More specifically, the version of the SessionsController spec in this Gist raises a Pundit::AuthorizationNotPerformedError at the point where the spec calls the #new method.

Whiskey. Tango. FOX?!?!?

Has anybody been able to get similar code working without Pundit living directly inside the controller code, ideally using @billychan's pull request (a better alternate will be gratefully entertained)?

This has me completely flummoxed.

Answer 1

Pundit::AuthorizationNotPerformedError is raised because of #verify_authorized method that is basically checking for @_pundit_policy_authorized variable.

You can just turn off verification for controllers that don't need it.

UPD. and again necroposting. I need to pay more attention to dates :\