0

I am trying to add authorization via Pundit for my Proposal class.

I have all the creation of proposals, etc set up but I also have several states with aasm_gem for proposals. drafted, published and closed.

I want only users who own the proposal to be able to view the drafted proposal. then on publish any users should be able to view the proposal.

How would I go about creating a Pundit policy that achieves this? I was not able to quite understand from the documentaiton. If I can see one example I should be able to figure it out.

I currently trasition between states with this on the show page:

<%= button_to 'Publish Proposal', proposals_publish_path(@proposal), method: :put, class:"pull-right btn btn-primary btn-lg", style:"color:white; border: 0px; margin-top:15px;" %>

I already installed Pundit and ran the generator.

james
  • 519
  • 3
  • 10
  • 19

1 Answers1

0

I don't know anything about the aasm_gem you're referring to, but from your description, something like this would work (I'm making up the published? and draft? methods since I don't know the actual API you're dealing with)

def show?
  return true if record.published?
  return true if record.draft? && user.id == record.user_id

  false
end
deefour
  • 34,974
  • 7
  • 97
  • 90