mirror of
https://github.com/varvet/pundit.git
synced 2022-11-09 12:30:11 -05:00
Add permitted_attributes_for_#{action} hook
Allows separate attributes for different actions. Closes #340
This commit is contained in:
Jonas Nicklas
parent
7972f66134
commit
9862b60249
4 changed files with 37 additions and 7 deletions
|
|
@ -139,15 +139,15 @@ module Pundit
|
||||||
policies[record] ||= Pundit.policy!(pundit_user, record)
|
policies[record] ||= Pundit.policy!(pundit_user, record)
|
||||||
end
|
end
|
||||||
|
|
||||||
def permitted_attributes(record)
|
def permitted_attributes(record, action=params[:action])
|
||||||
name = if record.respond_to?(:model_name)
|
param_key = PolicyFinder.new(record).param_key
|
||||||
record.model_name.param_key
|
policy = policy(record)
|
||||||
elsif record.is_a?(Class)
|
method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
|
||||||
record.to_s.demodulize.underscore
|
"permitted_attributes_for_#{action}"
|
||||||
else
|
else
|
||||||
record.class.to_s.demodulize.underscore
|
"permitted_attributes"
|
||||||
end
|
end
|
||||||
params.require(name).permit(policy(record).permitted_attributes)
|
params.require(param_key).permit(policy.public_send(method_name))
|
||||||
end
|
end
|
||||||
|
|
||||||
def policies
|
def policies
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,18 @@ module Pundit
|
||||||
policy or raise NotDefinedError, "unable to find policy `#{find}` for `#{object.inspect}`"
|
policy or raise NotDefinedError, "unable to find policy `#{find}` for `#{object.inspect}`"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# @return [String] the name of the key this object would have in a params hash
|
||||||
|
#
|
||||||
|
def param_key
|
||||||
|
if object.respond_to?(:model_name)
|
||||||
|
object.model_name.param_key.to_s
|
||||||
|
elsif object.is_a?(Class)
|
||||||
|
object.to_s.demodulize.underscore
|
||||||
|
else
|
||||||
|
object.class.to_s.demodulize.underscore
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
# @return [String] policy class name
|
# @return [String] policy class name
|
||||||
|
|
|
||||||
|
|
@ -430,6 +430,20 @@ describe Pundit do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "#permitted_attributes_for_action" do
|
||||||
|
it "is checked if it is defined in the policy" do
|
||||||
|
params = ActionController::Parameters.new({ action: 'revise', post: { title: 'Hello', body: "blah", votes: 5, admin: true } })
|
||||||
|
|
||||||
|
expect(Controller.new(user, params).permitted_attributes(post)).to eq({ 'body' => 'blah' })
|
||||||
|
end
|
||||||
|
|
||||||
|
it "can be explicitly set" do
|
||||||
|
params = ActionController::Parameters.new({ action: 'update', post: { title: 'Hello', body: "blah", votes: 5, admin: true } })
|
||||||
|
|
||||||
|
expect(Controller.new(user, params).permitted_attributes(post, :revise)).to eq({ 'body' => 'blah' })
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "Pundit::NotAuthorizedError" do
|
describe "Pundit::NotAuthorizedError" do
|
||||||
it "can be initialized with a string as message" do
|
it "can be initialized with a string as message" do
|
||||||
error = Pundit::NotAuthorizedError.new("must be logged in")
|
error = Pundit::NotAuthorizedError.new("must be logged in")
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,10 @@ class PostPolicy < Struct.new(:user, :post)
|
||||||
[:votes]
|
[:votes]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def permitted_attributes_for_revise
|
||||||
|
[:body]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
class PostPolicy::Scope < Struct.new(:user, :scope)
|
class PostPolicy::Scope < Struct.new(:user, :scope)
|
||||||
def resolve
|
def resolve
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue