4
votes

Question about getting Rails 5 and Pundit authorization working with Namespaces.

With Pundit, in the controller I wanted to use policy_scope([:admin, @car] which will use the Pundit policy file located in: app/policies/admin/car_policy.rb. I'm having issues trying to Pundit working with this namespace - without a namespace, it works fine.

Application is running:

  • Rails 5
  • Devise for authentication
  • Pundit for authorization

My namespace is for admins for example.

The route.rb file looks like:

# config/routes.rb

devise_for :admins

root: 'cars#index'
resources :cars

namespace :admin do
  root 'cars#index'
  resources :cars
end

I've setup a Pundit ApplicationPolicy and to get Namespaces working with Pundit's authorize method: @record = record.is_a?(Array) ? record.last : record

# app/policies/application_policy.rb

class ApplicationPolicy
  attr_reader :user, :record

  def initialize(user, record)
    @user = user
    @record = record.is_a?(Array) ? record.last : record
  end

  def scope
    Pundit.policy_scope!(user, record.class)
  end

  class Scope
    attr_reader :user, :scope

    def initialize(user, scope)
      @user = user
      @scope = scope
    end

    def resolve
      scope
    end
  end
end

In the Admin::CarsController this works authorize [:admin, @cars]

class Admin::CarsController < Admin::BaseController
  def index
    @cars = Car.order(created_at: :desc)
    authorize [:admin, @cars]
  end

  def show
    @car = Car.find(params[:id])
    authorize [:admin, @car]
  end
end

But I would like to use Policy Scope

class Admin::CarPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      if user?
        scope.all
      else
        scope.where(published: true)
      end
    end
  end

  def update?
    user.admin? or not post.published?
  end
end

In the Admin::CarsController

class Admin::CarssController < Admin::BaseController
  def index
    # @cars = Car.order(created_at: :desc) without a policy scope
    @cars = policy_scope([:admin, @cars]) # With policy scope / doesn't work because of array.
    authorize [:admin, @cars]
  end

  def show
    # @car = Car.find(params[:id]) without a policy scope
    @car = policy_scope([:admin, @car]) # With policy scope / doesn't work because of array.
    authorize [:admin, @car]
  end
end

I'm getting an error because Pundit isn't looking for the Admin::CarPolicy. I presume it's because it's an array.

I thought in the controller I could do something like policy_scope(Admin::Car) but that doesn't work :).

Any assistant is much appreciated.


Update

I found this on the Pundit Github Issues Page: https://github.com/elabs/pundit/pull/391

This fixes the namespace handling for policy_scope which is what I wanted.

It updates the Pudit gem -> policy_scope! method in lib/pundit.rb.

From:

def policy_scope!(user, scope)
  PolicyFinder.new(scope).scope!.new(user, scope).resolve
end

To:

def policy_scope!(user, scope)
  model = scope.is_a?(Array) ? scope.last : scope
  PolicyFinder.new(scope).scope!.new(user, model).resolve
end

My question is, how do I use this in my Rails application? Is it called overloading or monkey patching?

I was thinking adding a pundit.rb in the config/initializer directory and using module_eval but unsure how to do this as the policy_scope! is inside module Pundit and class << self.

I thought this would work but it doesn't - presume it is because policy_scope! is inside class << self.

Pundit::module_eval do
  def policy_scope!(user, scope)
    model = scope.is_a?(Array) ? scope.last : scope
    PolicyFinder.new(scope).scope!.new(user, model).resolve
  end
end
1

1 Answers

2
votes

Medir posted the solution on the Pundit Github Issues Page.

Just change your application_policy.rb to :

class ApplicationPolicy
  index? show?....

  class Scope
    attr_reader :user, :scope

    def initialize(user, scope)
      @user = user
      # @scope = scope
      @scope = scope.is_a?(Array) ? scope.last : scope #This fixes the problem
    end

    def resolve
      scope
    end
  end
end

You can then use :

policy_scope([:admin, @cars])