Rails 5, pundit authorization

Question

Pundit works well, if action has resources like:

class Admin::PagesController << ApplicationController
  def index
    @pages = Page.all
  end
end

How to authorise method without any resources in action?

class Admin::DashboardController << ApplicationController
  def index
  end
end

I hav file policies/admin/dashboard_policy.rb

class Admin::DashboardPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      scope.all
    end
  end
end

This file was generated by command:

rails g pundit:policy Admin/Dashboard

File views/admin/index.html.slim has only static text. Nothing more.

How to authorise action without any resources?

Regards Sssebaaa

score 0 · Answer 1 · answered Oct 30 '18 at 13:56

If you don't have any callbacks checking that the policy is scoped, as pundit doc suggests, like

class ApplictationController < ActionController::Base
  include Pundit
  after_action :verify_policy_scoped, only: :index
end

You don't have anything to do.

However if you do have a callback, you can just skip it in your controller action like this:

class Admin::DashboardController << ApplicationController
  skip_after_action :verify_policy_scoped, only: [:index]

  def index 
  end
end

max · Accepted Answer · 2018-10-31T14:02:25.180

To authorize without a scope or model instance call authorize with a symbol or array of symbols (when namespaced):

class Admin::DashboardController << ApplicationController
  def index
    authorize [:admin, :dashboard]
  end
end

This will call the #index? method on the policy class:

class Admin::DashboardPolicy < ApplicationPolicy
  def index?
    user.admin?
  end
end

You can also remove the scope completely from your policy.

2 Answers2