Module: Pundit

Extended by:
ActiveSupport::Concern
Defined in:
lib/pundit.rb,
lib/pundit/rspec.rb,
lib/pundit/version.rb,
lib/pundit/policy_finder.rb,
lib/generators/pundit/policy/policy_generator.rb,
lib/generators/pundit/install/install_generator.rb

Defined Under Namespace

Modules: RSpec Classes: AuthorizationNotPerformedError, NotAuthorizedError, NotDefinedError, PolicyFinder, PolicyScopingNotPerformedError

Constant Summary collapse

SUFFIX = 
"Policy"
VERSION = 
"1.1.0"

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.authorize(user, record, query) ⇒ true

Retrieves the policy for the given record, initializing it with the record and user and finally throwing an error if the user is not authorized to perform the given action.

Parameters:

  • user (Object)

    the user that initiated the action

  • record (Object)

    the object we're checking permissions of

  • record (Symbol)

    the query method to check on the policy (e.g. :show?)

Returns:

  • (true)

    Always returns true

Raises:



61
62
63
64
65
66
67
68
69
 
# File 'lib/pundit.rb', line 61

def authorize(user, record, query)
  policy = policy!(user, record)

  unless policy.public_send(query)
    raise NotAuthorizedError, query: query, record: record, policy: policy
  end

  true
end

.policy(user, record) ⇒ Object?

Retrieves the policy for the given record.

Parameters:

  • user (Object)

    the user that initiated the action

  • record (Object)

    the object we're retrieving the policy for

Returns:

  • (Object, nil)

    instance of policy class with query methods

See Also:



99
100
101
102
 
# File 'lib/pundit.rb', line 99

def policy(user, record)
  policy = PolicyFinder.new(record).policy
  policy.new(user, record) if policy
end

.policy!(user, record) ⇒ Object

Retrieves the policy for the given record.

Parameters:

  • user (Object)

    the user that initiated the action

  • record (Object)

    the object we're retrieving the policy for

Returns:

  • (Object)

    instance of policy class with query methods

Raises:

See Also:



111
112
113
 
# File 'lib/pundit.rb', line 111

def policy!(user, record)
  PolicyFinder.new(record).policy!.new(user, record)
end

.policy_scope(user, scope) ⇒ Scope{#resolve}?

Retrieves the policy scope for the given record.

Parameters:

  • user (Object)

    the user that initiated the action

  • record (Object)

    the object we're retrieving the policy scope for

Returns:

  • (Scope{#resolve}, nil)

    instance of scope class which can resolve to a scope

See Also:



77
78
79
80
 
# File 'lib/pundit.rb', line 77

def policy_scope(user, scope)
  policy_scope = PolicyFinder.new(scope).scope
  policy_scope.new(user, scope).resolve if policy_scope
end

.policy_scope!(user, scope) ⇒ Scope{#resolve}

Retrieves the policy scope for the given record.

Parameters:

  • user (Object)

    the user that initiated the action

  • record (Object)

    the object we're retrieving the policy scope for

Returns:

  • (Scope{#resolve})

    instance of scope class which can resolve to a scope

Raises:

See Also:



89
90
91
 
# File 'lib/pundit.rb', line 89

def policy_scope!(user, scope)
  PolicyFinder.new(scope).scope!.new(user, scope).resolve
end

Instance Method Details

#authorize(record, query = nil) ⇒ true

Retrieves the policy for the given record, initializing it with the record and current user and finally throwing an error if the user is not authorized to perform the given action.

Parameters:

  • record (Object)

    the object we're checking permissions of

  • record (Symbol, nil)

    the query method to check on the policy (e.g. :show?)

Returns:

  • (true)

    Always returns true

Raises:



189
190
191
192
193
194
195
196
197
198
199
200
201
 
# File 'lib/pundit.rb', line 189

def authorize(record, query = nil)
  query ||= params[:action].to_s + "?"

  @_pundit_policy_authorized = true

  policy = policy(record)

  unless policy.public_send(query)
    raise NotAuthorizedError, query: query, record: record, policy: policy
  end

  true
end

#permitted_attributes(record, action = ) ⇒ Hash{String => Object}

Retrieves a set of permitted attributes from the policy by instantiating the policy class for the given record and calling permitted_attributes on it, or permitted_attributes_for_{action} if it is defined. It then infers what key the record should have in the params hash and retrieves the permitted attributes from the params hash under that key.

Parameters:

  • record (Object)

    the object we're retrieving permitted attributes for

Returns:

  • (Hash{String => Object})

    the permitted attributes

See Also:



247
248
249
250
251
252
253
254
255
256
 
# File 'lib/pundit.rb', line 247

def permitted_attributes(record, action = params[:action])
  param_key = PolicyFinder.new(record).param_key
  policy = policy(record)
  method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
    "permitted_attributes_for_#{action}"
  else
    "permitted_attributes"
  end
  params.require(param_key).permit(policy.public_send(method_name))
end

#policy(record) ⇒ Object?

Retrieves the policy for the given record.

Parameters:

  • record (Object)

    the object we're retrieving the policy for

Returns:

  • (Object, nil)

    instance of policy class with query methods

See Also:



234
235
236
 
# File 'lib/pundit.rb', line 234

def policy(record)
  policies[record] ||= Pundit.policy!(pundit_user, record)
end

#policy_scope(scope) ⇒ Scope{#resolve}?

Retrieves the policy scope for the given record.

Parameters:

  • record (Object)

    the object we're retrieving the policy scope for

Returns:

  • (Scope{#resolve}, nil)

    instance of scope class which can resolve to a scope

See Also:



224
225
226
227
 
# File 'lib/pundit.rb', line 224

def policy_scope(scope)
  @_pundit_policy_scoped = true
  pundit_policy_scope(scope)
end

#pundit_policy_authorized?Boolean

Returns whether authorization has been performed, i.e. whether one #authorize or #skip_authorization has been called.

Returns:



149
150
151
 
# File 'lib/pundit.rb', line 149

def pundit_policy_authorized?
  !!@_pundit_policy_authorized
end

#pundit_policy_scoped?Boolean

Returns whether policy scoping has been performed, i.e. whether one #policy_scope or #skip_policy_scope has been called.

Returns:



155
156
157
 
# File 'lib/pundit.rb', line 155

def pundit_policy_scoped?
  !!@_pundit_policy_scoped
end

#pundit_userObject

Hook method which allows customizing which user is passed to policies and scopes initialized by #authorize, #policy and #policy_scope.

Returns:

  • (Object)

    the user object to be used with pundit

See Also:



277
278
279
 
# File 'lib/pundit.rb', line 277

def pundit_user
  current_user
end

#skip_authorization

This method returns an undefined value.

Allow this action not to perform authorization.

See Also:



207
208
209
 
# File 'lib/pundit.rb', line 207

def skip_authorization
  @_pundit_policy_authorized = true
end

#skip_policy_scope

This method returns an undefined value.

Allow this action not to perform policy scoping.

See Also:



215
216
217
 
# File 'lib/pundit.rb', line 215

def skip_policy_scope
  @_pundit_policy_scoped = true
end

#verify_authorized

This method returns an undefined value.

Raises an error if authorization has not been performed, usually used as an after_action filter to prevent programmer error in forgetting to call #authorize or #skip_authorization.

Raises:

See Also:



166
167
168
 
# File 'lib/pundit.rb', line 166

def verify_authorized
  raise AuthorizationNotPerformedError, self.class unless pundit_policy_authorized?
end

#verify_policy_scoped

This method returns an undefined value.

Raises an error if policy scoping has not been performed, usually used as an after_action filter to prevent programmer error in forgetting to call #policy_scope or #skip_policy_scope in index actions.

Raises:

See Also:



177
178
179
 
# File 'lib/pundit.rb', line 177

def verify_policy_scoped
  raise PolicyScopingNotPerformedError, self.class unless pundit_policy_scoped?
end