Help with gestalt of Pundit's authorize, please

17 views
Skip to first unread message

Ralph Shnelvar

unread,
Jul 17, 2017, 3:02:11 AM7/17/17
to Ruby on Rails: Talk
The best explanation I have found for the gestalt of Pundit is https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ 

And yet ... I don't get it.

I can understand each statement in https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ ... but when I get to what the "authorize(@post)" in
def create
  @post = Post.new(params[:post])
  authorize(@post)
  
end
does ... I don't get it.

I'm trying to put together an English sentence for "authorize(@post)".  Please tell me if I'm close.



authorize(@post)
means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false



I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create?                      is built from params[:action].  That is, since we know we're in def create then params[:action] must be "create".

How close am I?

Ralph

Ralph Shnelvar

unread,
Jul 17, 2017, 8:08:08 AM7/17/17
to Ruby on Rails: Talk
While I'm at it ...

In
authorize(@post)
WHAT is being "authorize-d"?  The @post ?  The current_user ?  The controller action ?  Something else ?

Ralph

Frederick Cheung

unread,
Jul 18, 2017, 1:40:11 PM7/18/17
to Ruby on Rails: Talk


On Monday, July 17, 2017 at 8:02:11 AM UTC+1, Ralph Shnelvar wrote:

authorize(@post)
means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false



I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create?                      is built from params[:action].  That is, since we know we're in def create then params[:action] must be "create".



sounds about right. This is described in the pundit readme ( https://github.com/elabs/pundit

Fred

Frederick Cheung

unread,
Jul 18, 2017, 1:41:22 PM7/18/17
to Ruby on Rails: Talk

On Monday, July 17, 2017 at 1:08:08 PM UTC+1, Ralph Shnelvar wrote:
While I'm at it ...

In
authorize(@post)
WHAT is being "authorize-d"?  The @post ?  The current_user ?  The controller action ?  Something else ?


All 3: this checks that the current user can perform a given action (inferred from controller action) upon the passed object.

It might be better phrased as "check_authorized" rather than "authorize", which sounds a bit like you are granting accessing rather than checking for access

Fred
Reply all
Reply to author
Forward
0 new messages