Pundit Policy Restrict Index action and view to specific roles

Question

I am trying to use this pundit policy to not allow users with the role clinician to access the index action on the patients controller. The scope section is currently working as I'd hoped, but with the policy as currently written I can still access /patients as a clinician user. What am I doing wrong? Thanks for any help!

Here are my role definitions:

enum role: { staff: 0, clinician: 1, admin: 2 }

Patient Policy

class PatientPolicy < ApplicationPolicy
  class Scope
    attr_reader :user, :scope

    def initialize(user, scope)
      @user  = user
      @scope = scope
    end

    def resolve
      if user.admin?
        scope.all
      else
        scope.joins(:user).merge(User.where(university: user.university))
      end
    end
  end

def index?
  user.staff? or user.admin?
end

end

Patients controller:

def index
    @patients = policy_scope(Patient)
end
[rest of controller]

score 1 · Answer 1 · answered Oct 02 '17 at 19:27

1

own goal: I needed to add the authorize line to my index action in my patients controller:

def index
    authorize Patient
    @patients = policy_scope(Patient)
end

answered Oct 02 '17 at 19:27

mike9182

269
1
3
17

Pundit Policy Restrict Index action and view to specific roles

1 Answers1