Question about getting Rails 5 and Pundit authorization working with Namespaces.
With Pundit, in the controller I wanted to use policy_scope([:admin, @car]
which will use the Pundit policy file located in: app/policies/admin/car_policy.rb
. I'm having issues trying to Pundit working with this namespace - without a namespace, it works fine.
Application is running:
- Rails 5
- Devise for authentication
- Pundit for authorization
My namespace is for admins
for example.
- Standard user > http://garage.me/cars
- Admin user >http://garage.me/admin/cars
The route.rb
file looks like:
# config/routes.rb
devise_for :admins
root: 'cars#index'
resources :cars
namespace :admin do
root 'cars#index'
resources :cars
end
I've setup a Pundit ApplicationPolicy
and to get Namespaces working with Pundit's authorize
method: @record = record.is_a?(Array) ? record.last : record
# app/policies/application_policy.rb
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record.is_a?(Array) ? record.last : record
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :user, :scope
def initialize(user, scope)
@user = user
@scope = scope
end
def resolve
scope
end
end
end
In the Admin::CarsController
this works authorize [:admin, @cars]
class Admin::CarsController < Admin::BaseController
def index
@cars = Car.order(created_at: :desc)
authorize [:admin, @cars]
end
def show
@car = Car.find(params[:id])
authorize [:admin, @car]
end
end
But I would like to use Policy Scope
class Admin::CarPolicy < ApplicationPolicy
class Scope < Scope
def resolve
if user?
scope.all
else
scope.where(published: true)
end
end
end
def update?
user.admin? or not post.published?
end
end
In the Admin::CarsController
class Admin::CarssController < Admin::BaseController
def index
# @cars = Car.order(created_at: :desc) without a policy scope
@cars = policy_scope([:admin, @cars]) # With policy scope / doesn't work because of array.
authorize [:admin, @cars]
end
def show
# @car = Car.find(params[:id]) without a policy scope
@car = policy_scope([:admin, @car]) # With policy scope / doesn't work because of array.
authorize [:admin, @car]
end
end
I'm getting an error because Pundit isn't looking for the Admin::CarPolicy
. I presume it's because it's an array.
I thought in the controller I could do something like policy_scope(Admin::Car)
but that doesn't work :).
Any assistant is much appreciated.
Update
I found this on the Pundit Github Issues Page: https://github.com/elabs/pundit/pull/391
This fixes the namespace handling for policy_scope which is what I wanted.
It updates the Pudit gem -> policy_scope!
method in lib/pundit.rb
.
From:
def policy_scope!(user, scope)
PolicyFinder.new(scope).scope!.new(user, scope).resolve
end
To:
def policy_scope!(user, scope)
model = scope.is_a?(Array) ? scope.last : scope
PolicyFinder.new(scope).scope!.new(user, model).resolve
end
My question is, how do I use this in my Rails application? Is it called overloading or monkey patching?
I was thinking adding a pundit.rb
in the config/initializer
directory and using module_eval
but unsure how to do this as the policy_scope!
is inside module Pundit
and class << self
.
I thought this would work but it doesn't - presume it is because policy_scope!
is inside class << self
.
Pundit::module_eval do
def policy_scope!(user, scope)
model = scope.is_a?(Array) ? scope.last : scope
PolicyFinder.new(scope).scope!.new(user, model).resolve
end
end