1

I am making and web app in Ruby on Rails. The question I have is - if I installed devise do I need to install pundit as well to control user access?

I am talking about simple access to a current user profile or the only author of the article can edit or remove it.

Would I need Pundit for that?

Fresz
  • 1,804
  • 2
  • 16
  • 29
  • 1
    No, you don't need anything. Gems are made to make life easier and bundle common functionality. If you see there is a growing amount of access control then you should consider using Pundit or CanCanCan or other – Mike Szyndel Jan 22 '16 at 17:17
  • I am using devise for user stuff and I thought it is only for user registration. Thanks for your answer – Fresz Jan 22 '16 at 17:27
  • Devise is an authentication gem. It provides functionality to make sure user has valid credentials (be it login/password, token, fb login, etc). It doesn't take care of "user stuff" just authentication. – Mike Szyndel Jan 22 '16 at 17:29
  • So if I want a user to be able to edit their own stuff I need Pundit? – Fresz Jan 22 '16 at 17:48
  • If you want to make sure only the user who owns an article can edit it, then you should check the owner in the controller `edit` and `update` (and possibly `delete`) actions. Pundit gem makes it easier because it provides clear DSL (collection of methods) for that, for example `authorize @post, :update?`. You don't have to use it, but it's probably better and will make your code cleaner. – Mike Szyndel Jan 22 '16 at 18:03
  • I understand. So I will use pundit but here is something I don't get - how does it know which user is meant to have access to what. Also is there an admin user class already there or should I create it? – Fresz Jan 22 '16 at 19:50
  • 1
    Read the docs, it is explained there. If you have a problem understanding try Cancancan, it's config is a little more straightforward (just one file while Pundit seems to have many) – Mike Szyndel Jan 22 '16 at 20:21

1 Answers1

3

No you don't have to use Pundit for your situation.

Devise sets up simple authentication system for you. Pundit uses policy to set up complicated access control.

In your situation, you could simply check if @post.author == current_user. On the other hand, you can also use Pundit's def update authorize @post end.

Jefferson
  • 1,559
  • 1
  • 18
  • 24