Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Pundit policies with two input parameters

Tags:

ruby-on-rails

ruby-on-rails-4

pundit

policies

I'm pretty new with Rails and I have a problem with the following policies (using Pundit): I'd like to compare two objects: @record and @foo, as you can see here:

class BarPolicy < ApplicationPolicy
  def show?
    @record.foo_id == @foo
  end
end

I don't reach to find a good way to pass a second parameter to pundit methods (@foo).

I'd like to do something like:

class BarsController < ApplicationController
  def test
    authorize bar, @foo, :show? # Throws ArgumentError
    ...
  end
end

But the Pundit authorize method allows only two parameters. Is there a way to solve this issue?

Thanks!

like image 348
Rowandish Avatar asked Jan 29 '15 14:01

Rowandish

2 Answers

Relying on more than the current user and a domain model is a code smell, but in case it really is required, then you can use a custom query method with any number of parameters and raise an exception if the requirements don't met:

class BarPolicy < ApplicationPolicy
  def authorize_test?(foo)
    raise Pundit::NotAuthorizedError, "not authorized to test" unless record.foo_id == foo
  end
end

class BarsController < ApplicationController
  def test
    skip_authorization && BarPolicy.new(current_user, @record).authorize_test?(@foo)
    ...
  end
end

The skip_authorization && part is not required if after_action :verify_authorized is not used, I just wanted to show a one-liner that can be used in this case to get rid of the not-authorized exception while still having the requirement to authorize the action.

like image 114
István Ujj-Mészáros Avatar answered Sep 19 '22 01:09

István Ujj-Mészáros

I found the answer at here.

Here is my way:

Add a pundit_user function in ApplicationController:

class ApplicationController < ActionController::Base
include Pundit
def pundit_user
    CurrentContext.new(current_user, foo)
end

Create the CurrentContext class:

/lib/pundit/current_context.rb
class CurrentContext
  attr_reader :user, :foo

  def initialize(user, foo)
    @user = user
    @foo = foo
  end
end

Update the initialize Pundit method.

class ApplicationPolicy
  attr_reader :user, :record, :foo

  def initialize(context, record)
    @user = context.user
    @foo = context.foo
    @record = record
  end
end
like image 32
Rowandish Avatar answered Sep 19 '22 01:09

Rowandish
Sign in to Comment

Related questions

Error: cross-thread violation on rb_gc()
Is there built in support in rails for the default value substitution idiom?
How can I render a template outside of a controller in Rails 3?
What is the socket declaration for, in Ruby on Rails database.yml?
Why use Proc.new to call a method in a Rails callback?
devise config.timeout_in not working
Communicate between a Rails app and a Node.js app
testing nested routes with rspec
rubyMine 'Unable to attach test reporter to test framework'
Using Rails helpers to render partials
Rails 3.2 - haml vs. erb. Is haml faster? (february 2012)
Installing rmagick 2.13.1 with graphicsmagick on Ubuntu 10.04
config.assets.precompile not adding vendor/gem assets
Is it possible to skip the asset precompile step for a single git push on Heroku?
Rails/Ruby - Prepopulate form with data passed from another page
Assets won't precompile when deploying with capistrano to production on amazon EC2
Why I can not call super in define_method with overloading method?
rails 4 - stripe_event functions
Implementing multiple user roles
How to do live reload with Rails 4 and Ruby 2.0 app?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!