Exceptions raised by #authorize now provide the query (e.g. 'create?') and
record (e.g. an instance of 'Post') that caused the exception to be raised, as
well as the relevant policy (e.g. an instance of 'PostPolicy').
NotAuthorizedError is modified to continue to inherit from StandardError, but
now also has attr_accessor values for :query, :record, and :policy.
In controller specs instead of relying on Pundit to instantiate the correct
policy object allow it to be injected into the controller. More often than not
a double is used in controller specs which means the policy cannot be
inferred. This also allows us to double the policy to ensure that on a unit
level the rights methods are being called on callaborators.
class PostsController < ApplicationController
attr_writer :post
helper_method :post
def create
authorize post
post.save
respond_with post
end
private
def post
@post ||= Post.new post_attributes
end
end
describe PagesController do
let(:policy) { double 'SomePolicy', create?: true }
before do
controller.policy = policy
end
it 'delegates authorization to policy' do
expect(policy).to have_received(:create?)
end
end
Add spec for injecting policy.
Use `or` instead of ternary operator.
Allow policy_scope to be injected for controller tests.
See the readme changes for an example. In short, this behaves
like verify_authorized but is useful for actions that find a
collection (like index) and don't authorize instances.
