2

I have a pretty standard setup: Identity::Member are users, and each Project::Project is owned by a member. I use Devise and Pundit together for authentication and authorization.

Here's my code for Project::ProjectPolicy

class Project::ProjectPolicy < ApplicationPolicy
  attr_reader :member, :project

  def initialize(member, project)
    @member = member
    @project = project
  end

  ...

  def update?
    member == project.member
  end

  def edit?
    update?
  end

  ...

end

And here's my edit action:

  # GET /projects/1/edit
  def edit
    authorize @project_project
    respond_with @project_project
  end

Lastly, the rescue setup in ApplicationController

rescue_from Pundit::NotAuthorizedError, with: :member_not_authorized

def member_not_authorized
  respond_with current_member, status: :unauthorized, location: -> { root_path }
end

But... for some reason, clicking on edit will still bring you to the edit view, although all changes are blocked and users are redirected to the root_path just as I instructed for update and destroy actions. Why?

Dovizu
  • 405
  • 3
  • 13
  • Have you tried **not** using `respond_with` in your `member_not_authorized` call ? I am wondering if that's defaulting back to the `edit.html.erb` when the underlying `render` is called. – deefour Jun 09 '15 at 14:18
  • What is `@project_project`? How is it defined? – Pavan Jul 04 '15 at 07:04

0 Answers0