I am creating a trello style app where a user can drag cards between lists. I am handling all the reordering logic on the js side, and am posting the list_id and position to the rails update action in my controller:
card = authorize Card.find(params[:id])
card.update(card_params)
The authorize method, provided by pundit, looks like this:
def update?
user.can_edit?(card.board)
end
This is only checking the if the user is authorized to edit the board. Because I am permitting the list_id attribute, a user could very well make a POST to move a card to a list which he does not have access to. To solve this, I added this condition to my controller:
if current_user.can_edit? List.find(params[:list_id]).board
// update card
else
// handle error
end
This solution does the job, but I don't want to introduce any authorization into my controller. My pundit policy does not have access to the card_params, and the model does not have access to the devise current_user, so this seems like the only way. Is there a way I could stick this logic into the policy?
