Pundit authorisation using service objects

W

2

13

The Tools

Pundit Authorisation; experimenting with this pull request linked to from the official Pundit README;
ActiveInteraction domain service objects ("DSOs");
RSpec 2.99.1

** The Project**

The project repo is on Github; what's under scrutiny here is on the pundit-1 branch.

I've followed the Pundit tutorial and gotten authorisation working using "traditional" chubby controllers; see

the PostsController#new action and its spec;
the Pundit ApplicationPolicy class; and
the PostDataPolicy governing authorisation for the Rails model instances of Posts.

All well and good so far. And then we come to the SessionController, whose #new and #destroy actions respectively govern logging in and out..

The current code and spec Work Just Fine using traditional-ish controller logic (see how #new calls private methods that use Pundit to authorise the active (current) user using a SessionDataPolicy.

Then I try to encapsulate that logic within an ActiveInteraction DSO (see the commented-out code in SessionsController#new), and all hell breaks loose.

More specifically, the version of the SessionsController spec in this Gist raises a Pundit::AuthorizationNotPerformedError at the point where the spec calls the #new method.

Whiskey. Tango. FOX?!?!?

Has anybody been able to get similar code working without Pundit living directly inside the controller code, ideally using @billychan's pull request (a better alternate will be gratefully entertained)?

This has me completely flummoxed.

Waitabit answered 22/7, 2014 at 7:7 Comment(4)

The links to the pundit-1 branch and controllers above are both returning 404's (potentially private repo?). That is making it difficult for me to tell what is going on exactly. – Imelda 14/9, 2017 at 20:0

Sorry about that, John. The repo is still there and public; the branch has been deleted, apparently by one of my 'helpful' collaborators. I can't find out more since GitHub doesn't apparently support activity reports going back farther than a month, and I don't have the branch locally anymore, either. This is old enough now that I probably really ought to just delete the question, since everything about it is outdated now. I'll leave it up a little while longer just so you can get this. Sorry again. – Waitabit 7/10, 2017 at 10:32

Jeff Dickey, For someone starting with Service Objects, do you have a recommendation of how to implement path/activity based authorization. Thanks for any pointers. – Puritanism 24/10, 2017 at 10:32

@Puritanism can you just use the class instantiation like PolicyName.new(user, context).action? – Goosegog 24/10, 2017 at 13:12

J

1

Pundit::AuthorizationNotPerformedError is raised because of #verify_authorized method that is basically checking for @_pundit_policy_authorized variable.

You can just turn off verification for controllers that don't need it.

UPD. and again necroposting. I need to pay more attention to dates :\

Jaymie answered 30/7, 2018 at 14:53 Comment(0)

A

0

You can create a HeadLess policy at DSOs level like

Struct.new(:user)

and then validate methods authorisation on users.

Abebi answered 26/10, 2017 at 8:17 Comment(0)

Recommended topics

Hot tags