Reputation: 1224
Pundit - Policies are not recognised
I am implementing pundit and wish to restrict the user#edit and user#update actions to only the current_user
def edit
@user = current_user
authorize(@user)
end
def update
@user = current_user
authorise(@user)
if @user.update_attributes(user_params)
flash[:success] = "Profile updated"
redirect_to edit_user_path
else
render 'edit'
end
end
The following is my attempted policy which (a) does not work and (b) is illogical.
class UserPolicy
attr_reader :user, :user
def initialise(user, user)
@user = user
end
def update?
true
end
alias_method :edit?, :update?
end
I have now updated my UserPolicy as per below. I have set the actions to false for testing as everything was being authorised:
class UserPolicy < ApplicationPolicy
def new?
create?
end
def create?
false
end
def edit?
update?
end
def update?
false
#user.id == record.id
end
end
However my policies are not recognised. Upon further reading I added the following to my ApplicationController:
after_filter :verify_authorized, except: :index
after_filter :verify_policy_scoped, only: :index
When I now navigate to my user#edit action I receive:
Pundit::AuthorizationNotPerformedError
Upvotes: 1
Views: 2056
Answers (1)
Reputation: 4596
First, make sure you have...
your-app/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
include Pundit
end
your-app/app/policies/application_policy.rb with default permissions for common actions.
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :user, :scope
def initialize(user, scope)
@user = user
@scope = scope
end
def resolve
scope
end
end
Then, in your UserPolicy
your-app/app/policies/section_policy.rb
class UserPolicy < ApplicationPolicy
def edit?
user.id == record.id
end
def update?
edit?
end
end
So, by default, user will be your current user and record will be the @user defined on edit and update actions.
You don't need to call authorize method explicitly. Pundit knows what to do with your @user attribute. So, your controller should be:
def edit
user
end
def update
if user.update_attributes(user_params)
flash[:success] = "Profile updated"
redirect_to edit_user_path
else
render 'edit'
end
end
private
def user
@user ||= User.find(params[:id])
end
you must know if you don't have a
current_usermethod, yo will need to define a pundit_user in your application controller.
Upvotes: 2
Related Questions
- How to use a default app/policies/application_policy.rb?
- Pundit AuthorizationNotPerformedError/PolicyScopingNotPerformedError
- STI and PUNDIT - unable to find policy
- Pundit::NotDefinedError: unable to find policy `UserPolicy`
- Rails 4 - Pundit - policies not working
- Pundit::NotDefinedError: unable to find policy when moving from Pundit 0.3 to 1.0
- rails4 + Pundit model instance not defined in policy
- Rails 4 - Pundit::PolicyScopingNotPerformedError
- Ruby gem Pundit doesn't appear to be doing the policy correctly
- Pundit is unable to find namespaced policies