Ask A Question

Notifications

You’re not receiving notifications from this thread.

Authorization with Pundit Discussion

Discussion for Authorization with Pundit
Shahnawaj Alom Limon Shahnawaj Alom Limon

It is really helpful. I've also seen CanCan. But I'm little bit confuse, which one should I use? Do you have any suggestion? Beside this I've a request that it'll be very helpful, if provide a video on angularjs with rails.

Reply

Use whichever one makes the most sense to you. I tend to prefer Pundit, but that's my preference.

Reply

Cancan is not really good for scaling. If your app grows larger later, Pundit will be much better.

Here is a good article explaining why.

http://www.distilnetworks.c...

Reply

Great video! I've been searching for a good intro to authorization and this was perfect. Thanks!

Reply
Kohl Kohlbrenner Kohl Kohlbrenner

I have a couple of questions: When are you actually passing in user and record into the the Pundit class because you never explicitly call ApplicationPolicy.new or PostPolicy.new ? How does Pundit know to assign a post to record variable and a user to user variable? Lastly does pundit know to associate @post with the PostPolicy?

Reply

You're always calling PostPolicy.new but Pundit provides a helper that creates the new policy and sends in those objects.

Since we inherited from ApplicationPolicy, the initialize method there is the one that sets the user and record variables. We created that, not Pundit so you have full control there.

When you call "authorize @post" it looks at the @post.class which is Post. Then it makes that a string, adds "Policy" on the end and looks up that class which would be "PostPolicy". That's how it knows to grab the right policy.

Reply

Hey @excid3:disqus I'm getting a strange error towards the end of the video where we add user == post.user I don't understand why this is happening because I have Devise setup properly. Any suggestions?

Reply

The error is happening inside Pundit. Check line 11 in your category_policy.rb. You're calling ".user" on something there that isn't valid. :)

Reply

Great video, I have a question:
How to handle multiple roles with Pundit?

Reply

you can use rolify

Reply

Very useful episode. Two things came into my mind while watching it regarding the best practice using pundit combined with devise:

- Since pundit policy is checking for user presence, devise before_action :authenticate_user! seems redundant. Is it good practice to keep it or delete it ?

- Another thing that seems interesting with pundit is scope, which let you avoid dealing with query starting with current_user.something. I tend to use the User class directly (instead of the current_user) on my queries, it allows me to let the user owning the object (address, avatar) or the admin editing the data simply by navigating on the users#edit page (or registrations#edit if devise). Is it a good practice or there is a better way ? Thank you in advance for your lights.

Reply

Hey Chris, thanks for the awesome video; however, I wonder how would you still use Pundit's provided helpers in an Angular raw html view?

For example, as you've explained in the video, you can use:
<% if policy(MyClass).new? %>
Do you know how I can leverage Pundit's helpers in a non erb view?

Thanks

Reply

Hi Chris, please could you do another podcast that goes deeper than this. I'm struggling big time (current issues outlined here: http://stackoverflow.com/qu... ). It would be great to see you set scopes based on who the current user is and the conditions attaching to the record. I've been trying for 2 years to figure this out now and need some help. Do you think you could show how to use the scope and resolve methods in detail. Thank you

Reply
Adrian Valenz Adrian Valenz

Yea, I had to use: <% if policy(@post).edit? %> in the Show View. policy(Post).edit? wouldn't work.

Reply
Jeremy Christopher Bray Jeremy Christopher Bray

Hi Chris,

I notice that you add:

class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception

include Pundit

after_action :verify_authorized, unless: :devise_controller?
end

In other tutorials I have seen :

class ApplicationController < ActionController::Base
include Pundit
protect_from_forgery

after_action :verify_policy_scoped, unless: :devise_controller?

end

is there any difference with including things before or after the protect?

Reply

It shouldn't make any difference. Traditionally people do includes at the very top and that's what I generally do too, but in this case I just pasted below to make it a little more clear.

Reply

Hey guys, I'm hoping for some advice on how to set a role for a user when signing up. My signup page has 2 options (as images); music supervisor and artist. Both go to the User/new form. In my User model I added a :role column. My goal is to have a user click an image; either supervisor or artist and when they sign up it adds that role name to the database. I know I could use an option field in the form, but I would love to do it this way.

I added this to my Routes:
devise_scope :user do
get "/users/sign_up/:role", to: 'devise/registrations#new', as: 'new_user_with_role'
end

And each image has it's respected url like:
link_to new_user_with_role_path(role: 'supervisor')

So the url looks like: /users/sign_up/supervisor
I added a hidden field and unsuccessfully tried sucking the params through the field to the database, but I think that's an unsecure way to do this.

Any ideas on a good way to do this? Thanks!

Reply

The video seems to be muted (not on my side of course).

Reply

Hi, this episode is not loading.

Reply

Might just be a temporary issue on Wistia. It's not loading for me either.

Reply

OK, thanks for the help

Reply

Has anyone else had any issue with their form not submitting? When Chris gets to creating a new post, for me it just stays on the form partial when I click submit. It's behaving as if the submit href is set to '#'. It was working fine before adding in all the pundit functionality.

Reply
Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 85,376+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.