mirror of
https://github.com/varvet/pundit.git
synced 2022-11-09 12:30:11 -05:00
Add #verify_policy_scoped for controller usage.
See the readme changes for an example. In short, this behaves like verify_authorized but is useful for actions that find a collection (like index) and don't authorize instances.
This commit is contained in:
Brendon Murphy
parent
3da8b0d7f4
commit
7be0a890a6
3 changed files with 29 additions and 0 deletions
12
README.md
12
README.md
|
|
@ -133,6 +133,18 @@ class ApplicationController < ActionController::Base
|
|||
end
|
||||
```
|
||||
|
||||
Likewise, pundit also adds `verify_policy_scoped` to your controller. This
|
||||
will raise an exception in the vein of `verify_authorized`. However it tracks
|
||||
if `policy_scoped` is used instead of `authorize`. This is mostly useful for
|
||||
controller actions like `index` which find collections with a scope and don't
|
||||
authorize individual instances.
|
||||
|
||||
``` ruby
|
||||
class ApplicationController < ActionController::Base
|
||||
after_filter :verify_policy_scoped, :only => :index
|
||||
end
|
||||
```
|
||||
|
||||
## Scopes
|
||||
|
||||
Often, you will want to have some kind of view listing records which a
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ module Pundit
|
|||
if respond_to?(:hide_action)
|
||||
hide_action :authorize
|
||||
hide_action :verify_authorized
|
||||
hide_action :verify_policy_scoped
|
||||
end
|
||||
end
|
||||
|
||||
|
|
@ -45,6 +46,10 @@ module Pundit
|
|||
raise NotAuthorizedError unless @_policy_authorized
|
||||
end
|
||||
|
||||
def verify_policy_scoped
|
||||
raise NotAuthorizedError unless @_policy_scoped
|
||||
end
|
||||
|
||||
def authorize(record, query=nil)
|
||||
query ||= params[:action].to_s + "?"
|
||||
@_policy_authorized = true
|
||||
|
|
@ -55,6 +60,7 @@ module Pundit
|
|||
end
|
||||
|
||||
def policy_scope(scope)
|
||||
@_policy_scoped = true
|
||||
Pundit.policy_scope!(current_user, scope)
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -194,6 +194,17 @@ describe Pundit do
|
|||
end
|
||||
end
|
||||
|
||||
describe "#verify_policy_scoped" do
|
||||
it "does nothing when policy_scope is used" do
|
||||
controller.policy_scope(Post)
|
||||
controller.verify_policy_scoped
|
||||
end
|
||||
|
||||
it "raises an exception when policy_scope is not used" do
|
||||
expect { controller.verify_policy_scoped }.to raise_error(Pundit::NotAuthorizedError)
|
||||
end
|
||||
end
|
||||
|
||||
describe "#authorize" do
|
||||
it "infers the policy name and authorized based on it" do
|
||||
controller.authorize(post).should be_true
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue