A proposal for issue #368.

Adds an additional argument to the policy_scope methods that specifies the method on the scope that should be called. Defaults to :resolve for backward compatibility.

This makes Scopes more flexible by allowing multiple scopes to be defined on a Scope class and making them available for use in controllers or views with existing helper methods.

This PR allows to override the policy class on the authorize method. This is useful when you have a controller that manages different types of models that share a common interface and you want to use the same policy for that kind of behaviour.

The app I'm working on has two sections: user and admin. There are multiple types of users and multiple types of admins, and different authentication solutions are used for each of them.

Although all the application models are used by both admins and users, policies are very different. Handling both users and admins and all distinct types within single policy was not so clear and full of ifs.

The way I handled this was to dynamically define policy_class on every ActiveRecord descendant in before filter. Something like this:

def set_policy_namespace
  m = self.class.name.split("::").first
  active_record_descendants.each do |ar|
    ar.class.instance_eval do
      define_method(:policy_class) do
        "::Policies::#{m}::#{self.name}Policy"
      end
    end
  end
end

def active_record_descendants
  Rails.application.eager_load! unless Rails.application.config.cache_classes
  ActiveRecord::Base.descendants
end

So, if I'm in Admin::HomeController, Project model will have policy_class redefined to return ::Policies::Admin::ProjectPolicy.

I've tried to demonstrate valid use case for this. Do you have any thoughts on how can this be made easier? I'm not sure whether or not it should be a part of gem (since it is somewhat rare).. I'm just asking for opinion.

thanks

Pundit looks great for authorizing models but in some instances I need to authorize controller actions (with no associated model) as well. A simple check whether the user is logged in or not will suffice most of the time. However, sometimes the ability to view a controller action is based on a user role, i.e. user can view settings page if administrator but not if regular user.

What are the best practices for these situations? Any clarifications would be appreciated on how all the authorization pieces fit together.

Given a TagsController and an Admin::TagsController each with a corresponding policy, how does one access the admin policy from a view? I've got a global nav link I'd like to only expose to admins.

policy(Tag).index? references the non-Admin namespace policy

I assumed something like this would work: policy(Admin::Tag).index? However, Admin::Tag is not defined and thus, it throws an error.

Ideally, I'd do something like so: policy(Tag, namespace: 'admin').index?

I don't see why Pundit::NotAuthorizedError doesn't provide the user with the query or record that "caused" the error to be raised. This PR adds these two properties.

I think using the NotAuthorizedError could resolve the still-open question of handling custom error messages (see #68, #38, and #66 for earlier discussion). With this change, I as a user of this gem could choose to (but am not obligated to) use the query and record property to create my error message:

class ApplicationController < ActionController::Base
  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  def user_not_authorized(exception)
    record_name = exception.record.class.to_s.downcase
    flash[:error] = I18n.t "pundit.#{record_name}.#{exception.query}"
  end
end

en:
  pundit:
    post:
      update?: 'You cannot edit this post!'

I think one of the strong points about Pundit is that it is extremely transparent -- there's almost nothing magical about it. The fact that there's little consensus about how errors should be handled is a sign that we can't predict what developers will expect Pundit to do w.r.t. errors. Rather than surprise them, why not let developers choose how to handle errors on their own?

Let me know what you think!

authorize currently assumes that each policy has enough information to make a decision. This isn't always the case as described in the policy below.

class ProjectPolicy
  # Determine if user is allowed to remove other_user from the project.
  #
  # @return [Boolean]
  def remove_user?(other_user)
    user != other_user && project.owned_by?(user)
  end
end

authorize has been patched to send any extra arguments to the policy which makes the above possible.

class ProjectsController < ApplicationController
  include Pundit

   # This isn't RESTful but shows intent.
  def remove_user
    authorize project, :remove_user?, other_user

    project.remove_user other_user
    respond_with project
  end

   private

  def project
    @project ||= current_user.find_project params[:id]
  end

  def other_user
    @other_user ||= project.find_user params[:user_id]
  end
end

When calling various helper methods in Pundit e.g. policy([:admin, @user]).show?, the full array is being passed to the policy object, rather than just @user. Is this expected functionality? or should my policy objects be grabbing the last object in the array to use as the record in the policy.

Have been having an interesting conversation with some colleagues today and was wondering where you folks stand on it.

The question is: where do you draw your line between authorization and business logic/context? Do you use Pundit purely do define who can do what based on their role, or do you bring your deeper contexts into the picture?

Here's a plain english version of the scenario I'm dealing with:

Our system has a User model, a Post model, and an Event model. Users have roles ("admin" and "user").

• Post belongs_to Event, but can also stand alone.
• Any user of any role can create Posts not associated with an Event.
• Admin users can create Posts for any Event.
• Regular users can only create Posts for Events that haven't passed (if they try to create an Event for a past Post, they should get a custom error message).

Option 1 Put everything in a Pundit Policy

If I were to do this all in Pundit, the PostPolicy and controller would look something like this:

class PostPolicy

  def create?
    user.admin? || record.event_id.nil? || record.event.ends_at > Time.current
  end

end

class PostsController < ApplicationController

  before_action :set_post

  def create
    authorize @post
    if @post.save...
  end

  private

  def set_post
    @post = current_user.posts.build(post_params)
  end

end

This works... with caveats:

1. Pro: the policy could be used within a view to fully represent the rules around creating a Post.
2. Grey area: We're getting into tertiary data by looking at the record's Event association. This is a slippery slope.
3. Con: We don't have the ability to return a custom error message in the case of an expired Event (do we?). If authorization fails for whatever reason, you can only generate a singular error message based off the exception on PostPolicy#create.

Option 2 Create multiple policies

class PostPolicy

def create?
  record.event_id.nil? || record.event.ends_at > Time.current
end

class AdminPostPolicy

def create?
  user.admin?
end

Assuming we could split policies cleanly along role lines, we might be able to do something like this, which opens up slightly more messaging options. Uncertain at this time, so this is the least fleshed out example.

Option 3 Use Pundit purely for role checking (signed in, can create Posts) and put business logic in controllers

class PostPolicy < ApplicationPolicy
  # ApplicationPolicy ensures user is logged in
end

class PostsController < ApplicationController

  before_action :set_post
  before_action :set_event

  def create
    authorize @post
    if @post.save...
  end

  private

  def set_post
    @post = current_user.posts.build(post_params)
  end

  def set_event
    return unless params[:post][:event_id].present?
    @post.event = Event.find(params[:post][:event_id])
    render_errors("custom message") unless current_user.admin? || @post.event.ends_at > Time.current
  end

It gets the job done, and can be different if we have a PostsController under /admin, but can end up fairly wet. Also, we lose the singular authority on when a user can create a post if we need the same total logic in the view.

Option 4 Use Pundit purely for role checking (signed in, can create Posts) and put business logic in service objects

class PostPolicy < ApplicationPolicy
  # ApplicationPolicy ensures user is logged in
end

class PostsController < ApplicationController

  def create
    post_creator = PostCreator.new(post_params, current_user)
    authorize post_creator.post, :create?
    if post_creator.save
      render post_creator.post
    else
      render_errors(post_creator.errors)
    end
  end

class PostCreator

  attr_accessor :post, :errors, :current_user

  def initialize(params, current_user)
    self.current_user = current_user
    self.post = current_user.posts.build(params)
  end

  def save
    if current_user.admin? || post.event_id.nil? || post.event.ends_at > Time.current
      post.save
    else
      self.errors = "custom message"
      false
    end
  end
end

Cleaner than controllers, but again you've split out your authority into two places. Also, I originally had the pundit authorize call within the service object but don't actually know if that's possible.

Another option would be to pass in the current_user context to the model and run the event check as a validation, but that is exceedingly gross, and I find my models are getting thinner and thinner these days (basically just wrappers around the table with rudimentary validation).

Feedback appreciated. Cheers.

I would to allow only customer's owner to manage profiles (the customer is given by the controller):

class ProfilePolicy
  def initialize(user, customer, record)
    @user = user
    @customer = customer
    @record = record
  end

  def create?
    @customer.owner == @user
  end
end

What I'm currently doing is:

class ApplicationController
  def policy(record)
    policy = PolicyFinder.new(record).policy
    policy.new(current_user, current_customer, record) if policy
  end
end

If that's correctly, we should add a section on README explaining that.

Dear pundit-community,

Sorry for the neglect as of lately! We're working on getting up to speed with current issues and pull requests.

Sincerely,

~ The @varvet team

In a perfect world I would like to do something like this:

  def user_not_authorized
    respond_to do |format|
      format.html do
        flash[:alert] = "You are not authorized to perform this action."
        redirect_back(fallback_location: root_path)
      end
      format.turbo_stream do
        flash.now[:alert] = "You are not authorized to perform this action."
        turbo_stream.prepend "flash", partial: "shared/flash"
      end
    end
  end

And then if someone tried to perform an action they can't do, they would get a flash message on their current page / frame without a redirect.

With the above code using Pundit v2.2.0, on authorization failure no alert message gets shown and no redirect happens. The request gets executed as the html format which I verified by printing a message to the terminal in that block.

As is Pundit doesn’t send the request as a turbo_stream so that format never gets a chance to execute. Is there a current workaround or official plans to support Hotwire Turbo Frames and Steams given it's a Rails 7 default?

Thanks!

This seems to be brought up before, most closely in #697.

Background

• I'm using Pundit via the Pundit Adapter in Active Admin.
• My policies are namespaced under active_admin, resulting in policy classes like ActiveAdmin::BookPolicy.
• I am using STI on the Book class, with types like RedBook and BlueBook. Both these classes have the self.policy_class defined to point back to the BookPolicy.

The Pundit adapter uses the namespace method and sends an array with the namespace and a resource to Pundit - that eventually ends up calling PolicyFinder::find method with the array.

Expected Behaviour

I should be able to share policies between various "STI siblings", even if the policy is namespaced.

Actual Behaviour

This is not possible, at least when Pundit is abstracted through the Pundit Adapter.

Issue

When attempting to authorize an action on RedBook, I've tried these three scenarios:

1. When self.policy_class is not defined - Pundit looks for ActiveAdmin::RedBookPolicy and fails [EXPECTED]
2. When self.policy_class returns BookPolicy - rails says this class is not found [EXPECTED]
3. When self.policy_class returns ActiveAdmin::BookPolicy - the find method does not strip the namespace, ending up with ActiveAdmin::ActiveAdmin::BookPolicy.

So right now I'm not able to share the policy at all - I'd expect the third case to go through.

More Info

I'm not able to override methods because of the adapter abstraction. This seems to have been the solution most people used in the other issues. I think find should be able to understand whether this statement is actually required before executing it-

     if subject.is_a?(Array)
        modules = subject.dup
        last = modules.pop
        context = modules.map { |x| find_class_name(x) }.join("::")
        [context, find(last)].join("::") #this line might need to be conditional?

I'm aware that I can create more policies for each type of Book, but my goal is to have a single policy that governs all Books.

Explanation: https://github.com/varvet/pundit/issues/748

Edit: Just noticed the build failed. Likely because Pundit is not specific to ActiveRecord. Leaving it there just in case you have a better implementation in mind.

Hi,

I believe there is a very small improvement that could be implemented in Pundit's policy_scope.

Exemple of problem

  class Scope < ::ApplicationPolicy::Scope
    def resolve 
     # I know the joins are being useless, it's only for demo
      scope.left_joins(:user, project: :project_managers).where(user: { id: 9 })
    end
  end

policy_scope(ProjectTime).where(date: @date).sum(:total)
=> 8.28111111111111

policy_scope(ProjectTime).distinct.where(date: @date).sum(:total)
=> 6.519722222222221

Problem

Some results in the SQL query are duplicated because of the joined table.

Solution

An easy way to come around this issue is to wrap the policy in a subquery like so

class Scope < ::ApplicationPolicy::Scope
    def resolve 
      scoped = scope.left_joins(:user, project: :project_managers).where(user: { id: 9 })
      scope.where(id: scoped)
    end
  end

policy_scope(ProjectTime).where(date: @date).sum(:total)
=> 6.519722222222221

policy_scope(ProjectTime).distinct.where(date: @date).sum(:total)
=> 6.519722222222221

Request

I believe this behavior could be wrapped into the gem and applied automatically. I believe it also make sense that our policies only take care of filtering stuff without leaving any side effect.

It would be nice if this method either returned the policy class checked, or if there was some way to determine this without re-implementing the policy lookup logic.

https://github.com/varvet/pundit/blob/56af8f3ce25bf1eea47ec877f840b3de6fb32cdc/lib/pundit.rb#L76

One way would be to split this into two methods:

• Map incoming arguments to a policy.
• Raise an exception if the policy isn't satisified.

Would you accept a PR for this?