Merge branch 'permitted_attributes_param_key' of https://github.com/Envek/pundit into Envek-permitted_attributes_param_key

I removed the option of manually specifying the param_key
2022-11-09 12:30:11 -05:00 · 2016-01-14 13:25:32 +01:00 · 2016-01-14 13:25:32 +01:00 · eb8f513dfe
commit eb8f513dfe
parent 00c989d5f1 db74632a90
4 changed files with 29 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,7 @@
 # Pundit

+- Add autodetection of param key to `permitted_attributes` helper with ability to override it with `param_key` option.
+
 ## 1.0.1 (2015-05-27)

 - Fixed a regression where NotAuthorizedError could not be ininitialized with a string.
--- a/lib/pundit.rb
+++ b/lib/pundit.rb
@ -140,8 +140,14 @@ module Pundit
  end

  def permitted_attributes(record)
-    name = record.class.to_s.demodulize.underscore
-    params.require(name).permit(*policy(record).permitted_attributes)
+    name = if record.respond_to?(:model_name)
+      record.model_name.param_key
+    elsif record.is_a?(Class)
+      record.to_s.demodulize.underscore
+    else
+      record.class.to_s.demodulize.underscore
+    end
+    params.require(name).permit(policy(record).permitted_attributes)
  end

  def policies
--- a/spec/pundit_spec.rb
+++ b/spec/pundit_spec.rb
@ -3,6 +3,7 @@ require "spec_helper"
 describe Pundit do
  let(:user) { double }
  let(:post) { Post.new(user) }
+  let(:customer_post) { Customer::Post.new(user) }
  let(:comment) { Comment.new }
  let(:article) { Article.new }
  let(:controller) { Controller.new(user, { :action => 'update' }) }
@ -343,6 +344,13 @@ describe Pundit do
      expect(Controller.new(user, params).permitted_attributes(post)).to eq({ 'title' => 'Hello', 'votes' => 5 })
      expect(Controller.new(double, params).permitted_attributes(post)).to eq({ 'votes' => 5 })
    end
+
+    it "checks policy for permitted attributes for record of a ActiveModel type" do
+      params = ActionController::Parameters.new({ action: 'update', customer_post: { title: 'Hello', votes: 5, admin: true } })
+
+      expect(Controller.new(user, params).permitted_attributes(customer_post)).to eq({ 'title' => 'Hello', 'votes' => 5 })
+      expect(Controller.new(double, params).permitted_attributes(customer_post)).to eq({ 'votes' => 5 })
+    end
  end

  describe "Pundit::NotAuthorizedError" do
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -56,6 +56,17 @@ class Post < Struct.new(:user)
  def inspect; "#<Post>"; end
 end

+module Customer
+  class Post < Post
+    # In ActiveRecord this method is accessible at both object and class level
+    def model_name
+      OpenStruct.new(param_key: 'customer_post')
+    end
+    def policy_class
+      PostPolicy
+    end
+  end
+end
 class CommentPolicy < Struct.new(:user, :comment); end
 class CommentPolicy::Scope < Struct.new(:user, :scope)
  def resolve