Use controller’s action_name attr instead of params[:action]

This is the recommended way to access a controller’s current action
2022-11-09 12:30:11 -05:00 · 2016-09-27 11:29:43 -04:00 · 2016-09-27 11:29:43 -04:00 · 667b1385ae
commit 667b1385ae
parent d28170b722
3 changed files with 37 additions and 24 deletions
--- a/lib/pundit.rb
+++ b/lib/pundit.rb
@ -175,7 +175,7 @@ protected
  # @raise [NotAuthorizedError] if the given query method returned false
  # @return [Object] Always returns the passed object record
  def authorize(record, query = nil)
-    query ||= params[:action].to_s + "?"
+    query ||= "#{action_name}?"

    @_pundit_policy_authorized = true

@ -232,7 +232,7 @@ protected
  # @param action [Symbol, String] the name of the action being performed on the record (e.g. `:update`).
  #   If omitted then this defaults to the Rails controller action name.
  # @return [Hash{String => Object}] the permitted attributes
-  def permitted_attributes(record, action = params[:action])
+  def permitted_attributes(record, action = action_name)
    policy = policy(record)
    method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
      "permitted_attributes_for_#{action}"
--- a/spec/pundit_spec.rb
+++ b/spec/pundit_spec.rb
@ -8,7 +8,7 @@ describe Pundit do
  let(:comment) { Comment.new }
  let(:comment_four_five_six) { CommentFourFiveSix.new }
  let(:article) { Article.new }
-  let(:controller) { Controller.new(user, action: "update") }
+  let(:controller) { Controller.new(user, "update", {}) }
  let(:artificial_blog) { ArtificialBlog.new }
  let(:article_tag) { ArticleTag.new }
  let(:comments_relation) { CommentsRelation.new }
@ -426,30 +426,40 @@ describe Pundit do

  describe "#permitted_attributes" do
    it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new(action: "update", post: {
+      params = ActionController::Parameters.new(post: {
        title: "Hello",
        votes: 5,
        admin: true
      })

-      expect(Controller.new(user, params).permitted_attributes(post).to_h).to eq("title" => "Hello", "votes" => 5)
-      expect(Controller.new(double, params).permitted_attributes(post).to_h).to eq("votes" => 5)
-    end
+      action = "update"

-    it "checks policy for permitted attributes for record of a ActiveModel type" do
-      params = ActionController::Parameters.new(action: "update", customer_post: {
-        title: "Hello",
-        votes: 5,
-        admin: true
-      })
-
-      expect(Controller.new(user, params).permitted_attributes(customer_post)).to eq("title" => "Hello", "votes" => 5)
-      expect(Controller.new(double, params).permitted_attributes(customer_post)).to eq("votes" => 5)
-      expect(Controller.new(user, params).permitted_attributes(customer_post).to_h).to eq(
+      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq(
        "title" => "Hello",
        "votes" => 5
      )
-      expect(Controller.new(double, params).permitted_attributes(customer_post).to_h).to eq(
+      expect(Controller.new(double, action, params).permitted_attributes(post).to_h).to eq("votes" => 5)
+    end
+
+    it "checks policy for permitted attributes for record of a ActiveModel type" do
+      params = ActionController::Parameters.new(customer_post: {
+        title: "Hello",
+        votes: 5,
+        admin: true
+      })
+
+      action = "update"
+
+      expect(Controller.new(user, action, params).permitted_attributes(customer_post).to_h).to eq(
+        "title" => "Hello",
+        "votes" => 5
+      )
+      expect(Controller.new(double, action, params).permitted_attributes(customer_post)).to eq("votes" => 5)
+      expect(Controller.new(user, action, params).permitted_attributes(customer_post).to_h).to eq(
+        "title" => "Hello",
+        "votes" => 5
+      )
+      expect(Controller.new(double, action, params).permitted_attributes(customer_post).to_h).to eq(
        "votes" => 5
      )
    end
@ -457,25 +467,27 @@ describe Pundit do

  describe "#permitted_attributes_for_action" do
    it "is checked if it is defined in the policy" do
-      params = ActionController::Parameters.new(action: "revise", post: {
+      params = ActionController::Parameters.new(post: {
        title: "Hello",
        body: "blah",
        votes: 5,
        admin: true
      })

-      expect(Controller.new(user, params).permitted_attributes(post).to_h).to eq("body" => "blah")
+      action = "revise"
+      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq("body" => "blah")
    end

    it "can be explicitly set" do
-      params = ActionController::Parameters.new(action: "update", post: {
+      params = ActionController::Parameters.new(post: {
        title: "Hello",
        body: "blah",
        votes: 5,
        admin: true
      })

-      expect(Controller.new(user, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")
+      action = "update"
+      expect(Controller.new(user, action, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")
    end
  end

--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -156,10 +156,11 @@ class Controller
  # Mark protected methods public so they may be called in test
  public(*Pundit.protected_instance_methods)

-  attr_reader :current_user, :params
+  attr_reader :current_user, :action_name, :params

-  def initialize(current_user, params)
+  def initialize(current_user, action_name, params)
    @current_user = current_user
+    @action_name = action_name
    @params = params
  end
 end