class Wallaby::PunditAuthorizationProvider

@note This authorization provider DOES NOT use the

{https://github.com/varvet/pundit#customize-pundit-user pundit_user} helper.
It uses the one from {Wallaby::AuthenticationConcern#wallaby_user #wallaby_user} instead.

{github.com/varvet/pundit Pundit} base authorization provider.

Public Class Methods

available?(context) click to toggle source

Detect and see if Pundit is in use. @param context [ActionController::Base, ActionView::Base] @return [true] if Pundit is in use @return [false] otherwise

# File lib/authorizers/wallaby/pundit_authorization_provider.rb, line 13
def self.available?(context)
  defined?(Pundit) && context.respond_to?(:pundit_user)
end

Public Instance Methods

attributes_for(action, subject) click to toggle source

Restrict user to assign certain values.

It will do a lookup in policy's methods and pick the first available method:

  • `attributes_for_#{action}`

  • `attributes_for`

@param action [Symbol, String] @param subject [Object] @return [Hash] field value paired hash that user's allowed to assign

# File lib/authorizers/wallaby/pundit_authorization_provider.rb, line 51
def attributes_for(action, subject)
  policy = Pundit.policy! user, subject
  policy.try("attributes_for_#{action}") || policy.try('attributes_for') || {}
end
authorize(action, subject) click to toggle source

Check user's permission for an action on given subject.

This method will be mostly used in controller. @param action [Symbol, String] @param subject [Object, Class] @raise [Wallaby::Forbidden] when user is not authorized to perform the action.

# File lib/authorizers/wallaby/pundit_authorization_provider.rb, line 23
    def authorize(action, subject)
      Pundit.authorize(user, subject, normalize(action)) && subject
    rescue ::Pundit::NotAuthorizedError
      Logger.error <<~MESSAGE
        #{Utils.inspect user} is forbidden to perform #{action} on #{Utils.inspect subject}
      MESSAGE
      raise Forbidden
    end
authorized?(action, subject) click to toggle source

Check and see if user is allowed to perform an action on given subject @param action [Symbol, String] @param subject [Object, Class] @return [true] if user is allowed to perform the action @return [false] otherwise

# File lib/authorizers/wallaby/pundit_authorization_provider.rb, line 37
def authorized?(action, subject)
  policy = Pundit.policy! user, subject
  policy.try normalize(action)
end
permit_params(action, subject) click to toggle source

Restrict user for mass assignment.

It will do a lookup in policy's methods and pick the first available method:

  • `permitted_attributes_for_#{ action }`

  • `permitted_attributes`

@param action [Symbol, String] @param subject [Object] @return [Array] field list that user's allowed to change.

# File lib/authorizers/wallaby/pundit_authorization_provider.rb, line 65
def permit_params(action, subject)
  policy = Pundit.policy! user, subject
  # @see https://github.com/varvet/pundit/blob/master/lib/pundit.rb#L258
  policy.try("permitted_attributes_for_#{action}") || policy.try('permitted_attributes')
end

Protected Instance Methods

normalize(action) click to toggle source

Convert action to pundit method name @param action [Symbol, String] @return [String] e.g. `create?`

# File lib/authorizers/wallaby/pundit_authorization_provider.rb, line 76
def normalize(action)
  "#{action}?".tr('??', '?')
end