How to set up authorization policies for two controllers using Pundit?

Question

I'm learning Pundit using the RailsApps Pundit Tutorial and this statement from the tutorial totally confused me:

Given that the policy object is named UserPolicy, and we will use it for authorization from the Users controller, you might wrongly assume that the name of the policy object will always match the name of the controller. That is not the case.

How can I create a policy (o set of policies) that allow users with the "role_a" to use the users_controller.index action and users with the "role_b" to use the orders_controller.index action?

1.1 Does this require two different policies (UserPolicy and OrderPolicy) or should I name the index action for every controller differently to differentiate it on the UserPolicy?

score 2 · Accepted Answer · answered Jul 28 '15 at 06:31

Yes it requires two different policies(UserPolicy and OrderPolicy)

#user_policy.rb
class UserPolicy
attr_reader :current_user

  def initialize(current_user)
    @current_user = current_user
  end

  def index?
    @current_user.role_a?
  end
end

And in your index method of users_controller

def index
  @user = User.find(params[:id])
  authorize @user
end

Same for OrderPolicy

#order_policy.rb
class OrderPolicy
attr_reader :current_user

  def initialize(current_user)
    @current_user = current_user
  end

  def index?
    @current_user.role_b?
  end
end

And in your index method of orders_controller

def index
  @user = User.find(params[:id])
  authorize @user
end

How to set up authorization policies for two controllers using Pundit?

1 Answers1