1

I'm new with the Pundit gem and I'm stuck on something.

I try to show a list with multiple records but I always get the error AuthorizationNotPreformedError.

What do I do wrong?

Controller:

def planning
  @plans = Order.all
  authorize @plans
end

Policy:

def planning?
  user.present?
end

Planning.html.haml

%h1 test

When I add this: after_action :verify_policy_scoped, :only => planning, if: verify_policy_scoped?

I get the PolicyScopingNotPerformedError.

F. LK
  • 75
  • 1
  • 10

1 Answers1

1

From the README:

Pundit tracks whether you have called authorize anywhere in your controller action. Pundit also adds a method to your controllers called verify_authorized

...

Pundit also adds verify_policy_scoped to your controller. This will raise an exception similar to verify_authorized. However, it tracks if policy_scope is used instead of authorize.

You have mixed the two methods up. You've called authorize, but are checking whether policy_scope was called.

policy_scope is typically used for collections of record (such as your example, or more typically index actions), whereas authorize is typically used for individual records (such as show/edit/update/destroy actions).

In your case, however, what you've got currently doesn't necessarily warrant a policy at all - all you're checking is whether the user is signed in!

If you require a user to be signed in, but they are not, then your application should respond with a 401 error, not 403. You may do this with, for example, before_action :authorize in your controller. (It depends how you have implemented authorization -- see the documentation on whatever library you're using, e.g. devise).

Tom Lord
  • 27,404
  • 4
  • 50
  • 77