1

I am trying to make an app with Rails 4.

I am using pundit with devise.

I am trying to write an Address Policy in Pundit.

I have three relevant models, being user.rb, profile.rb and address.rb.

The associations are:

user.rb

has_one :profile

profile.rb

belongs_to :user
  has_many :addresses, as: :addressable

address.rb

 belongs_to :addressable, :polymorphic => true

My address policy is:

class AddressPolicy < ApplicationPolicy

    def create?
        user.present? && user == address.profile.user
    end

    def update?
        user.present? && user == address.profile.user
    end

    def destroy?
        user.admin? 
    end

    private
        def address
            record
        end

end

Im having trouble how to figure out the way to write this policy. Address is polymorphic. Profile can have many addresses and a profile belongs to a user. So, for the policy I want the user who owns the profile to create and update addresses. I'm struggling because I can't figure out how to put profile into the chain of associations to link between user and address.

The current error method with this policy starts with the create? function:

def create?
        user.present? && user == address.profile.user
    end

The message is:

undefined method `profile' for #<Address:0x007fbad7ac0cf8>

My address policy inherits from my application policy, which initialises user and record:

class ApplicationPolicy
  attr_reader :user, :record

  def initialize(user, record)
    @user = user
    @record = record
  end

Can anyone see how to do this?

Mel
  • 2,481
  • 26
  • 113
  • 273

1 Answers1

1

You could check if the user's addresses include the address:

user && user.profile.addresses.exists?(address.id)
Plamena Gancheva
  • 670
  • 3
  • 6
  • Hi - thanks Plamena. That worked, what is the (address.id) in the end of this doing? – Mel Jan 04 '16 at 11:35
  • And why does this work in the create action? There isn't an address when the user is adding a new address? – Mel Jan 04 '16 at 11:35
  • Hi. The method "exists?" takes an id or conditions - here is the documentation: http://apidock.com/rails/ActiveRecord/FinderMethods/exists%3F. You could use it to allow only the owner of the address to edit it. What are the restrictions for creating an address - isn't "user.present?" enough? – Plamena Gancheva Jan 04 '16 at 12:04
  • I want the user who has the address to be able to create/update/destroy. – Mel Jan 04 '16 at 12:16
  • You can allow a user with a certain address to create new addresses but if you want to allow a user without an address to create one you should check only if the user exists or some other business rule. Maybe I'm missing something but the address does not have an owner before it's created. – Plamena Gancheva Jan 04 '16 at 14:35
  • I was worried that if i just have the create action as user.present? then any user will be able to create the address. I just want the relevant user (to whom the address will belong) to create the address – Mel Jan 05 '16 at 01:22