Allows users to skip authorization and prevent exceptions that result from
having `#verify_authorized` enabled. There are some times when you'd only
conditionally want to skip authorization, but you still want to keep
verification enabled for that action.
* The AuthorizationNotPerformedError is very descriptive of the
situation when authorization is forgotten. In the case of no
scoping, it can be a head scratcher.
* This new error type is implemented as a subclass of the current error
type to prevent regressions in existing code. While this is not ideal,
it is the simplest solution I could come up with for compatibility.
Exceptions raised by #authorize now provide the query (e.g. 'create?') and
record (e.g. an instance of 'Post') that caused the exception to be raised, as
well as the relevant policy (e.g. an instance of 'PostPolicy').
NotAuthorizedError is modified to continue to inherit from StandardError, but
now also has attr_accessor values for :query, :record, and :policy.
In controller specs instead of relying on Pundit to instantiate the correct
policy object allow it to be injected into the controller. More often than not
a double is used in controller specs which means the policy cannot be
inferred. This also allows us to double the policy to ensure that on a unit
level the rights methods are being called on callaborators.
class PostsController < ApplicationController
attr_writer :post
helper_method :post
def create
authorize post
post.save
respond_with post
end
private
def post
@post ||= Post.new post_attributes
end
end
describe PagesController do
let(:policy) { double 'SomePolicy', create?: true }
before do
controller.policy = policy
end
it 'delegates authorization to policy' do
expect(policy).to have_received(:create?)
end
end
Add spec for injecting policy.
Use `or` instead of ternary operator.
Allow policy_scope to be injected for controller tests.
See the readme changes for an example. In short, this behaves
like verify_authorized but is useful for actions that find a
collection (like index) and don't authorize instances.
