Module: Pundit

Defined in:

lib/pundit.rb,
lib/pundit/rspec.rb,
lib/pundit/version.rb,
lib/pundit/authorization.rb,
lib/pundit/policy_finder.rb,
lib/generators/pundit/policy/policy_generator.rb,
lib/generators/pundit/install/install_generator.rb

Defined Under Namespace

Classes: AuthorizationNotPerformedError, InvalidConstructorError, NotAuthorizedError, NotDefinedError, PolicyFinder, PolicyScopingNotPerformedError

Constant Summary

SUFFIX =

"Policy"

Class Method Summary

• .authorize(user, possibly_namespaced_record, query, policy_class: nil, cache: {}) ⇒ Object

  Retrieves the policy for the given record, initializing it with the record and user and finally throwing an error if the user is not authorized to perform the given action.

• .included(base) ⇒ Object
• .policy(user, record) ⇒ Object^?

  Retrieves the policy for the given record.

• .policy!(user, record) ⇒ Object

  Retrieves the policy for the given record.

• .policy_scope(user, scope) ⇒ Scope{#resolve}^?

  Retrieves the policy scope for the given record.

• .policy_scope!(user, scope) ⇒ Scope{#resolve}

  Retrieves the policy scope for the given record.

Class Method Details

.authorize(user, possibly_namespaced_record, query, policy_class: nil, cache: {}) ⇒ Object

Retrieves the policy for the given record, initializing it with the record and user and finally throwing an error if the user is not authorized to perform the given action.

Parameters:

• user (Object) —

  the user that initiated the action

• possibly_namespaced_record (Object, Array) —

  the object we're checking permissions of

• query (Symbol, String) —

  the predicate method to check on the policy (e.g. :show?)

• policy_class (Class) (defaults to: nil) —

  the policy class we want to force use of

• cache (#[], #[]=) (defaults to: {}) —

  a Hash-like object to cache the found policy instance in

Returns:

• (Object) —

  Always returns the passed object record

Raises:

• (NotAuthorizedError) —

  if the given query method returned false

# File 'lib/pundit.rb', line 76

def authorize(user, possibly_namespaced_record, query, policy_class: nil, cache: {})
  record = pundit_model(possibly_namespaced_record)
  policy = if policy_class
    policy_class.new(user, record)
  else
    cache[possibly_namespaced_record] ||= policy!(user, possibly_namespaced_record)
  end

  raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)

  record
end

.included(base) ⇒ Object

# File 'lib/pundit.rb', line 57

def self.included(base)
  ActiveSupport::Deprecation.warn <<~WARNING
    'include Pundit' is deprecated. Please use 'include Pundit::Authorization' instead.
  WARNING
  base.include Authorization
end

.policy(user, record) ⇒ Object^?

Retrieves the policy for the given record.

Parameters:

• user (Object) —

  the user that initiated the action

• record (Object) —

  the object we're retrieving the policy for

Returns:

• (Object, nil) —

  instance of policy class with query methods

Raises:

• (InvalidConstructorError) —

  if the policy constructor called incorrectly

See Also:

• https://github.com/varvet/pundit#policies

# File 'lib/pundit.rb', line 137

def policy(user, record)
  policy = PolicyFinder.new(record).policy
  policy&.new(user, pundit_model(record))
rescue ArgumentError
  raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
end

.policy!(user, record) ⇒ Object

Retrieves the policy for the given record.

Parameters:

• user (Object) —

  the user that initiated the action

• record (Object) —

  the object we're retrieving the policy for

Returns:

• (Object) —

  instance of policy class with query methods

Raises:

• (NotDefinedError) —

  if the policy cannot be found

• (InvalidConstructorError) —

  if the policy constructor called incorrectly

See Also:

• https://github.com/varvet/pundit#policies

# File 'lib/pundit.rb', line 152

def policy!(user, record)
  policy = PolicyFinder.new(record).policy!
  policy.new(user, pundit_model(record))
rescue ArgumentError
  raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
end

.policy_scope(user, scope) ⇒ Scope{#resolve}^?

Retrieves the policy scope for the given record.

Parameters:

• user (Object) —

  the user that initiated the action

• scope (Object) —

  the object we're retrieving the policy scope for

Returns:

• (Scope{#resolve}, nil) —

  instance of scope class which can resolve to a scope

Raises:

• (InvalidConstructorError) —

  if the policy constructor called incorrectly

See Also:

• https://github.com/varvet/pundit#scopes

# File 'lib/pundit.rb', line 96

def policy_scope(user, scope)
  policy_scope_class = PolicyFinder.new(scope).scope
  return unless policy_scope_class

  begin
    policy_scope = policy_scope_class.new(user, pundit_model(scope))
  rescue ArgumentError
    raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
  end

  policy_scope.resolve
end

.policy_scope!(user, scope) ⇒ Scope{#resolve}

Retrieves the policy scope for the given record.

Parameters:

• user (Object) —

  the user that initiated the action

• scope (Object) —

  the object we're retrieving the policy scope for

Returns:

• (Scope{#resolve}) —

  instance of scope class which can resolve to a scope

Raises:

• (NotDefinedError) —

  if the policy scope cannot be found

• (InvalidConstructorError) —

  if the policy constructor called incorrectly

See Also:

• https://github.com/varvet/pundit#scopes

# File 'lib/pundit.rb', line 117

def policy_scope!(user, scope)
  policy_scope_class = PolicyFinder.new(scope).scope!
  return unless policy_scope_class

  begin
    policy_scope = policy_scope_class.new(user, pundit_model(scope))
  rescue ArgumentError
    raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
  end

  policy_scope.resolve
end