Help with gestalt of Pundit's authorize, please

rubyonrails-talk
1

The best explanation I have found for the gestalt of Pundit is https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/

And yet … I don’t get it.

I can understand each statement in https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ … but when I get to what the “authorize(@post)” in

def create
  @post = Post.new(params[:post])
  authorize(@post)
  …
end

``

does … I don’t get it.

I’m trying to put together an English sentence for “authorize(@post)”. Please tell me if I’m close.

authorize(@post)

``

means …

For the current user (i.e. current_user) and

for the @post object

throw a NotAuthorizedError exception if PostPolicy#create? returns false

I think the “hidden” inputs to authorize come from the following sources:

current_user from Devise’s current_user

@post is the self-evident argument to authorize

PostPolicy is built from the name of the class of the object @post followed by the word “Policy” (i.e. @post.class.to_s + ‘Policy’)

create? is built from params[:action]. That is, since we know we’re in def create then params[:action] must be “create”.

How close am I?

Ralph

2

While I’m at it …

In

authorize(@post)

``

``

WHAT is being “authorize-d”? The @post ? The current_user ? The controller action ? Something else ?

Ralph

3

sounds about right. This is described in the pundit readme ( GitHub - varvet/pundit: Minimal authorization through OO design and pure Ruby classes )

Fred

4

While I’m at it …

In

authorize(@post)

``

``

WHAT is being “authorize-d”? The @post ? The current_user ? The controller action ? Something else ?

All 3: this checks that the current user can perform a given action (inferred from controller action) upon the passed object.

It might be better phrased as “check_authorized” rather than “authorize”, which sounds a bit like you are granting accessing rather than checking for access

Fred