Merge pull request #626 from QWYNG/authorize_return_record_with_namespase_arry

'.authorize' and '#authorize' return record even with passed record with namespace array
2022-11-09 12:30:11 -05:00 · 2019-11-12 09:58:13 +01:00 · 2019-11-12 09:58:13 +01:00 · 772fcacd98
commit 772fcacd98
parent 78c509d9fb 1b4600645d
3 changed files with 51 additions and 3 deletions
--- a/lib/pundit.rb
+++ b/lib/pundit.rb
@ -71,7 +71,7 @@ module Pundit

      raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)

-      record
+      record.is_a?(Array) ? record.last : record
    end

    # Retrieves the policy scope for the given record.
@ -222,7 +222,7 @@ protected

    raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)

-    record
+    record.is_a?(Array) ? record.last : record
  end

  # Allow this action not to perform authorization.
--- a/spec/pundit_spec.rb
+++ b/spec/pundit_spec.rb
@ -25,6 +25,26 @@ describe Pundit do
      expect(Pundit.authorize(user, post, :update?)).to be_truthy
    end

+    it "returns the record on successful authorization" do
+      expect(Pundit.authorize(user, post, :update?)).to eq(post)
+    end
+
+    it "returns the record when passed record with namespace " do
+      expect(Pundit.authorize(user, [:project, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the record when passed record with nested namespace " do
+      expect(Pundit.authorize(user, [:project, :admin, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the policy name symbol when passed record with headless policy" do
+      expect(Pundit.authorize(user, :publication, :create?)).to eq(:publication)
+    end
+
+    it "returns the class when passed record not a particular instance" do
+      expect(Pundit.authorize(user, Post, :show?)).to eq(Post)
+    end
+
    it "can be given a different policy class" do
      expect(Pundit.authorize(user, post, :create?, policy_class: PublicationPolicy)).to be_truthy
    end
@ -410,7 +430,23 @@ describe Pundit do
    end

    it "returns the record on successful authorization" do
-      expect(controller.authorize(post)).to be(post)
+      expect(controller.authorize(post)).to eq(post)
+    end
+
+    it "returns the record when passed record with namespace " do
+      expect(controller.authorize([:project, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the record when passed record with nested namespace " do
+      expect(controller.authorize([:project, :admin, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the policy name symbol when passed record with headless policy" do
+      expect(controller.authorize(:publication, :create?)).to eq(:publication)
+    end
+
+    it "returns the class when passed record not a particular instance" do
+      expect(controller.authorize(Post, :show?)).to eq(Post)
    end

    it "can be given a different permission to check" do
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -158,6 +158,10 @@ class CriteriaPolicy < Struct.new(:user, :criteria); end

 module Project
  class CommentPolicy < Struct.new(:user, :comment)
+    def update?
+      true
+    end
+
    class Scope < Struct.new(:user, :scope)
      def resolve
        scope
@ -174,6 +178,14 @@ module Project
      end
    end
  end
+
+  module Admin
+    class CommentPolicy < Struct.new(:user, :comment)
+      def update?
+        true
+      end
+    end
+  end
 end

 class DenierPolicy < Struct.new(:user, :record)