Add permitted_attributes_for_#{action} hook

Allows separate attributes for different actions. Closes #340
2022-11-09 12:30:11 -05:00 · 2016-01-14 14:43:51 +01:00 · 2016-01-14 14:43:51 +01:00 · 9862b60249
commit 9862b60249
parent 7972f66134
4 changed files with 37 additions and 7 deletions
--- a/lib/pundit.rb
+++ b/lib/pundit.rb
@ -139,15 +139,15 @@ module Pundit
    policies[record] ||= Pundit.policy!(pundit_user, record)
  end

-  def permitted_attributes(record)
-    name = if record.respond_to?(:model_name)
-      record.model_name.param_key
-    elsif record.is_a?(Class)
-      record.to_s.demodulize.underscore
+  def permitted_attributes(record, action=params[:action])
+    param_key = PolicyFinder.new(record).param_key
+    policy = policy(record)
+    method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
+      "permitted_attributes_for_#{action}"
    else
-      record.class.to_s.demodulize.underscore
+      "permitted_attributes"
    end
-    params.require(name).permit(policy(record).permitted_attributes)
+    params.require(param_key).permit(policy.public_send(method_name))
  end

  def policies
--- a/lib/pundit/policy_finder.rb
+++ b/lib/pundit/policy_finder.rb
@ -59,6 +59,18 @@ module Pundit
      policy or raise NotDefinedError, "unable to find policy `#{find}` for `#{object.inspect}`"
    end

+    # @return [String] the name of the key this object would have in a params hash
+    #
+    def param_key
+      if object.respond_to?(:model_name)
+        object.model_name.param_key.to_s
+      elsif object.is_a?(Class)
+        object.to_s.demodulize.underscore
+      else
+        object.class.to_s.demodulize.underscore
+      end
+    end
+
  private

    # @return [String] policy class name
--- a/spec/pundit_spec.rb
+++ b/spec/pundit_spec.rb
@ -430,6 +430,20 @@ describe Pundit do
    end
  end

+  describe "#permitted_attributes_for_action" do
+    it "is checked if it is defined in the policy" do
+      params = ActionController::Parameters.new({ action: 'revise', post: { title: 'Hello', body: "blah", votes: 5, admin: true } })
+
+      expect(Controller.new(user, params).permitted_attributes(post)).to eq({ 'body' => 'blah' })
+    end
+
+    it "can be explicitly set" do
+      params = ActionController::Parameters.new({ action: 'update', post: { title: 'Hello', body: "blah", votes: 5, admin: true } })
+
+      expect(Controller.new(user, params).permitted_attributes(post, :revise)).to eq({ 'body' => 'blah' })
+    end
+  end
+
  describe "Pundit::NotAuthorizedError" do
    it "can be initialized with a string as message" do
      error = Pundit::NotAuthorizedError.new("must be logged in")
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -42,6 +42,10 @@ class PostPolicy < Struct.new(:user, :post)
      [:votes]
    end
  end
+
+  def permitted_attributes_for_revise
+    [:body]
+  end
 end
 class PostPolicy::Scope < Struct.new(:user, :scope)
  def resolve