I am fairly new to using this Pundit gem but seem to be having trouble understanding the policy system. I have added checks that Pundit has been called for authorization (verify_authorized
) and for scoping (verfify_policy_scoped
). However, this causes errors when I visit the Devise sessions controller.
Application Controller
class ApplicationController < ActionController::Base
include Pundit
protect_from_forgery
before_filter :authenticate_person!
# Verify that controller actions are authorized. Optional, but good.
after_filter :verify_authorized, except: :index
after_filter :verify_policy_scoped, only: :index
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
private
def pundit_user
Person.find_by_id(current_person)
end
def user_not_authorized
flash[:alert] = "You are not authorized to perform this action."
# redirect_to(request.referrer || root_path)
end
end
Application Policy
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
raise Pundit::NotAuthorizedError, "must be logged in" unless user
@user = user
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :user, :scope
def initialize(user, scope)
@user = user
@scope = scope
end
def resolve
scope
end
end
end
Error Messages
Pundit::AuthorizationNotPerformedError in
Devise::SessionsController#new
Pundit::PolicyScopingNotPerformedError in
...
after_action :verify_authorized, except: :index, unless: devise_controller?
– Gussiegussman