13

The Tools

  1. Pundit Authorisation; experimenting with this pull request linked to from the official Pundit README;
  2. ActiveInteraction domain service objects ("DSOs");
  3. RSpec 2.99.1

** The Project**

The project repo is on Github; what's under scrutiny here is on the pundit-1 branch.

I've followed the Pundit tutorial and gotten authorisation working using "traditional" chubby controllers; see

All well and good so far. And then we come to the SessionController, whose #new and #destroy actions respectively govern logging in and out..

The current code and spec Work Just Fine using traditional-ish controller logic (see how #new calls private methods that use Pundit to authorise the active (current) user using a SessionDataPolicy.

Then I try to encapsulate that logic within an ActiveInteraction DSO (see the commented-out code in SessionsController#new), and all hell breaks loose.

More specifically, the version of the SessionsController spec in this Gist raises a Pundit::AuthorizationNotPerformedError at the point where the spec calls the #new method.

Whiskey. Tango. FOX?!?!?

Has anybody been able to get similar code working without Pundit living directly inside the controller code, ideally using @billychan's pull request (a better alternate will be gratefully entertained)?

This has me completely flummoxed.

Jeff Dickey
  • 1,071
  • 11
  • 21
  • The links to the pundit-1 branch and controllers above are both returning 404's (potentially private repo?). That is making it difficult for me to tell what is going on exactly. – Josh Frankel Sep 14 '17 at 20:00
  • Sorry about that, John. The repo is still there and public; the branch has been deleted, apparently by one of my 'helpful' collaborators. I can't find out more since GitHub doesn't apparently support activity reports going back farther than a month, and I don't have the branch locally anymore, either. This is old enough now that I probably really ought to just delete the question, since _everything_ about it is outdated now. I'll leave it up a little while longer just so you can get this. Sorry again. – Jeff Dickey Oct 07 '17 at 10:32
  • Jeff Dickey, For someone starting with Service Objects, do you have a recommendation of how to implement path/activity based authorization. Thanks for any pointers. – user553620 Oct 24 '17 at 10:32
  • 1
    @user553620 can you just use the class instantiation like `PolicyName.new(user, context).action?` – Kevin Brown Oct 24 '17 at 13:12

2 Answers2

1

Pundit::AuthorizationNotPerformedError is raised because of #verify_authorized method that is basically checking for @_pundit_policy_authorized variable.

You can just turn off verification for controllers that don't need it.

UPD. and again necroposting. I need to pay more attention to dates :\

Nondv
  • 769
  • 6
  • 11
0

You can create a HeadLess policy at DSOs level like 

Struct.new(:user)

and then validate methods authorisation on users.

Jaswinder
  • 1,455
  • 14
  • 27