Using Pundit with namespace

Asked 21/1, 2014 at 10:9 Answered 7/11, 2020 at 11:3

In my project, i have pretty common namespace "admin".

namespace :admin do
    resources :users, except: :show
end

I use Pundit gem to set proper authorization, but i found it difficult to use with controllers within namespace. my policies are organised as below

-policies
    -admin
        user_policy.rb
    application_policy.rb
    admin_policy.rb
    awesome_policy.rb

very similar to controllers.

However, when inside the controller i use "authorize" method i get nothing but an error, informing that app is "unable to find UserPolicy". My UserPolicy looks like this:

class Admin::UserPolicy < AdminPolicy
end

So what is the problem, what should I do to make Pundit see those policies inside namespace?

Joannejoannes answered 21/1, 2014 at 10:9 Comment(0)

Short answer: you can't make Pundit use controller namespace-specific policies.

Long answer: Pundit looks at the resource (model) to determine which Policy class to use, so any time you pass an instance of the User model in as the resource, it's going to look for UserPolicy, not Admin::UserPolicy

See here, here and here.

You could specify a policy class on your User model, but this doesn't really solve your namespaced controller issue since Pundit is going to derive the policy class from the model, regardless of where you're authorizing.

Discarnate answered 11/2, 2014 at 4:56 Comment(0)

With the new merged commit you can do this.

It will work automatically.

UPDATE:

From 0.3 version is effectively removed without replacing feature. However namespace feature can be obtained in namespace branch on github.

You can see the discussion of feature in issue on github.

My suggestion for people who want use namespaces with pundit - don't use yet. Make before filter to access restricted area like admin dashboard and leave authorization model rules in pundit files. That's way you will be able to use pundit without hacks and problems.

Royroyal answered 28/5, 2014 at 4:44 Comment(1)

with the latest_latest version it doesn't work again. but there is a fork github.com/coryodaniel/regulator that I used, and it works great for me. – Dentelle 30/1, 2016 at 15:15

While onemanstartup mentioned that is should work automatically now, I wasn't able to get the namespaced policy to work, but here's what I did find to be acceptable.

In your case, in the AdminPolicy, I added custom action names, like

def new_user?
  some code
end

and then in my Admin::UserController#new action

def new
  authorize @user, :new_user?
end

Starknaked answered 4/8, 2014 at 2:34 Comment(1)

EXCELLENT WORK! Fixed a problem I have been stuck on! Great JOB! @Starknaked – Menorca 14/8, 2015 at 17:55

Just came here because of the same problem. Working with pundit v2.1.0, this is possible by overriding policy_scope and authorize in the controller. What I did for a similar setup:

module Admin
  class ModuleController < ModuleController
    private

    def policy_scope(scope)
      super([:admin, scope])
    end

    def authorize(record, query = nil)
      super([:admin, record], query)
    end
  end
end

And then just use the usual ways of working with your policy in your controller, which will then take the policy from your Admin namespace.

This is also described in the README at https://github.com/varvet/pundit#policy-namespacing

In case you need more context than just the current user and the record, Pundit policies with two input parameters will be helpful.

Blacking answered 7/11, 2020 at 11:3 Comment(0)

Recommended topics

Hot tags