0

I have a problem where i have to send a session object through the Authorize method in pundit, but the authorize method only supports two parameters, current_user and records

Initially I created a new model named UserParam

class UserParam < ApplicationRecord
  attr_reader :user, :session

  def initialize(user,session)
    @user = user
    @session = session
  end
end

Then I permited Application Policy to accept UserParam as an attribute:

class ApplicationPolicy
  attr_reader :userParam, :user, :session, :record

  def initialize(userParam, record)
    @userParam = userParam
    @record = record
  end

  delegate :user, to: :userParam
  delegate :session, to: :userParam

Finally i overrode the user record used by pundit with an instance of UserParam class

def pundit_user
    UserParam.new(current_user,session)
end

Then i called the authorize method as:

authorize @booking

After i run this code, i get error as:

BookingsController put #update for Owner should let owner update the booking to checkin when booking is active Failure/Error: UserParam.new(current_user,session)

 ArgumentError:
   wrong number of arguments (given 2, expected 0..1)`
Sheriff Hussain
  • 224
  • 2
  • 12
  • This sounds like a [xy problem](https://meta.stackexchange.com/a/66378/284887) to me. Can you please explain why you think that you need to pass the `session` to the model level? What is stored in that session an how does that relate to model authorization? What do you try to achieve? – spickermann Aug 13 '19 at 08:02
  • I need the parameters that are passed during that session request. I want to check if the current post is active and also if the admin sent a " :status=>'inactivate' " request parameter. I don't want the admin to be allowed to re-active the post, after it has been deactivated, so if the post is inactive, and the admin again sends a :status => inactive request, i want to block that request – Sheriff Hussain Aug 13 '19 at 09:13
  • Should other roles be allowed to re-active? If not then why not just block it by checking the current model status? Or did you consider having dedicated controller routes and policies for this kind of status changes? – spickermann Aug 13 '19 at 09:20
  • Actually the Booking model has 4 states, such as active, cancel, checkin and checkout. Ani i don't want the admin to be able to active, or checking, or chekout the booking once, it has been canceled. And also once checkedin booking cannot be checked out or reactivated. There are some of the cases. – Sheriff Hussain Aug 13 '19 at 09:24
  • That means you want admins to be allowed to update these booking but not to change the status attribute? Did you consider to use a gem like aasm or state_machine to define the states and just not to allow such backward status transitions? – spickermann Aug 13 '19 at 09:38
  • Yes i was thinking about using state_machines. But i wanted to solve it using Pundit, by sending in an extra parameter, that held the parameter of the request. And then i would compare it in the policy, as in if the state of the model is already inactive, and the request param had a status => active in it, the request would be not carried out. – Sheriff Hussain Aug 13 '19 at 09:58
  • And also thank you :) – Sheriff Hussain Aug 13 '19 at 09:58

0 Answers0