Authorize related object when using pundit gem

Question

If I have user object and user has one basicinfo. In user show action I have:

def show
  @user = User.find params[:id]
  authorize @user
end

And in show.html.erb I must show user's basicinfo, such as:

User name is: <%= @user.basicinfo.name %>

In this case should I also authorize basicinfo in user show action?

def show
  @user = User.find params[:id]
  authorize @user
  authorize @user.basicinfo, :show?
end

score 1 · Accepted Answer · answered Dec 04 '13 at 06:46

1

The authorization applies to the entire action.

If you want to filter out some elements in the view you can do so on an ad hoc basis, basically applying whatever attribute you are using in the xxxPolicy class (which is not provided above)

Handling user authorization is possibly too complicated via Pundit

def initialize(user, user)

I definitely do filtering in the views when it comes to user actions

answered Dec 04 '13 at 06:46

Jerome

5,583
3
33
76

The second avenu to take for your user model is to place logic within the controller. Pundit was meant to eliminate such tedious work, but on the user model it's not so simple. I maintain pundit for all other models, while on the user model I decide whether I want a controller to throw unauthorized users out, or whether I need to filter data in the view, based on the actual context. – Jerome Apr 12 '14 at 14:23

Authorize related object when using pundit gem

1 Answers1