Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Pundit authorization in index

I have been recently reading through the pundit gem's README and noticed that they never authorize the index view within a controller. (Instead they use scope).

They give good reasoning for this, as an index page generally contains a list of elements, by controlling the list that is generated you effectively control the data on the page. However, occasionally it may be desired to block access to even the index page itself. (Rather than allowing access to a blank index page.) My question is what would be the proper way to perform this?

I have so far come up with several possibilities, and have the following classes:

  • A model MyModel
  • A controller MyModelsController
  • A policy MyModelPolicy

In my index method of my controller, the recommended method to solve this would be as follows:

def index
  @my_models = policy_Scope(MyModel)
end

This will then allow access to the index page, but will filter the results to only what that use can see. (E.G. no results for no access.)

However to block access to the index page itself I have arrived at two different possibilities:

def index
  @my_models = policy_Scope(MyModel)
  authorize @my_models
end

or

def index
  @my_models = policy_Scope(MyModel)
  authorize MyModel
end

Which of these would be the correct path, or is there a different alternative that would be preferred?

like image 204
Chris Britt Avatar asked Aug 25 '16 14:08

Chris Britt


1 Answers

Policy,

class MyModelPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      if user.admin?
        scope.all
      else
        scope.where(user: user)
      end
    end
  end

  def index?
    user.admin?
  end
end

Controller,

def index
  @my_models = policy_scope(MyModel)
  authorize MyModel
end
like image 181
seyyah Avatar answered Oct 05 '22 23:10

seyyah