The best explanation I have found for the gestalt of Pundit is https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/
And yet … I don’t get it.
I can understand each statement in https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ … but when I get to what the “authorize(@post)” in
def create @post = Post.new(params[:post]) authorize(@post) … end
does … I don’t get it.
I’m trying to put together an English sentence for “authorize(@post)”. Please tell me if I’m close.
For the current user (i.e. current_user) and
for the @post object
NotAuthorizedError exception if PostPolicy#create? returns false
I think the “hidden” inputs to authorize come from the following sources:
current_user from Devise’s current_user
@post is the self-evident argument to authorize
PostPolicy is built from the name of the class of the object @post followed by the word “Policy” (i.e. @post.class.to_s + ‘Policy’)
create? is built from params[:action]. That is, since we know we’re in def create then params[:action] must be “create”.
How close am I?