module Pundit::Authorization
Protected Instance Methods
Retrieves a set of permitted attributes from the policy by instantiating the policy class for the given record and calling ‘permitted_attributes` on it, or `permitted_attributes_for_{action}` if `action` is defined. It then infers what key the record should have in the params hash and retrieves the permitted attributes from the params hash under that key.
@see github.com/varvet/pundit#strong-parameters @param record [Object] the object we’re retrieving permitted attributes for @param action [Symbol, String] the name of the action being performed on the record (e.g. ‘:update`).
If omitted then this defaults to the Rails controller action name.
@return [Hash{String => Object}] the permitted attributes
# File lib/pundit/authorization.rb, line 125 def permitted_attributes(record, action = action_name) policy = policy(record) method_name = if policy.respond_to?("permitted_attributes_for_#{action}") "permitted_attributes_for_#{action}" else "permitted_attributes" end pundit_params_for(record).permit(*policy.public_send(method_name)) end
Cache of policies. You should not rely on this method.
@api private rubocop:disable Naming/MemoizedInstanceVariableName
# File lib/pundit/authorization.rb, line 147 def policies @_pundit_policies ||= {} end
Retrieves the policy for the given record.
@see github.com/varvet/pundit#policies @param record [Object] the object we’re retrieving the policy for @return [Object] instance of policy class with query methods
# File lib/pundit/authorization.rb, line 110 def policy(record) pundit.policy!(record) end
Retrieves the policy scope for the given record.
@see github.com/varvet/pundit#scopes @param scope [Object] the object we’re retrieving the policy scope for @param policy_scope_class [Class] the policy scope class we want to force use of @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
# File lib/pundit/authorization.rb, line 100 def policy_scope(scope, policy_scope_class: nil) @_pundit_policy_scoped = true policy_scope_class ? policy_scope_class.new(pundit_user, scope).resolve : pundit_policy_scope(scope) end
Cache of policy scope. You should not rely on this method.
@api private rubocop:disable Naming/MemoizedInstanceVariableName
# File lib/pundit/authorization.rb, line 156 def policy_scopes @_pundit_policy_scopes ||= {} end
@return [Pundit::Context] a new instance of {Pundit::Context} with the current user
# File lib/pundit/authorization.rb, line 19 def pundit @pundit ||= Pundit::Context.new( user: pundit_user, policy_cache: Pundit::CacheStore::LegacyStore.new(policies) ) end
Retrieves the params for the given record.
@param record [Object] the object we’re retrieving params for @return [ActionController::Parameters] the params
# File lib/pundit/authorization.rb, line 139 def pundit_params_for(record) params.require(PolicyFinder.new(record).param_key) end
@return [Boolean] whether policy scoping has been performed, i.e. whether
one {#policy_scope} or {#skip_policy_scope} has been called
# File lib/pundit/authorization.rb, line 34 def pundit_policy_scoped? !!@_pundit_policy_scoped end
Hook method which allows customizing which user is passed to policies and scopes initialized by {#authorize}, {#policy} and {#policy_scope}.
@see github.com/varvet/pundit#customize-pundit-user @return [Object] the user object to be used with pundit
# File lib/pundit/authorization.rb, line 166 def pundit_user current_user end
Allow this action not to perform policy scoping.
@see github.com/varvet/pundit#ensuring-policies-and-scopes-are-used @return [void]
# File lib/pundit/authorization.rb, line 90 def skip_policy_scope @_pundit_policy_scoped = :skipped end
Raises an error if policy scoping has not been performed, usually used as an ‘after_action` filter to prevent programmer error in forgetting to call {#policy_scope} or {#skip_policy_scope} in index actions.
@see github.com/varvet/pundit#ensuring-policies-and-scopes-are-used @raise [AuthorizationNotPerformedError] if policy scoping has not been performed @return [void]
# File lib/pundit/authorization.rb, line 56 def verify_policy_scoped raise PolicyScopingNotPerformedError, self.class unless pundit_policy_scoped? end
Private Instance Methods
# File lib/pundit/authorization.rb, line 172 def pundit_policy_scope(scope) policy_scopes[scope] ||= pundit.policy_scope!(scope) end