Pundit::NotAuthorizedError / Problem with pundit authorize

Question

I'm trying to update user's adress in a form but i dont understant why i'm not authorize to perform, this is my code :

class AddressesController < ApplicationController
  def update
    @address = current_user.addresses.last
    authorize @address
    @address.update!(address_params)
  end

  private

  def address_params
    params.require(:address).permit(:first_name, :last_name, :city, :country, :postcode, :phone_number, :street_address, :optional_address, :user_id)
  end
end


class AddressPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      scope.all
    end

    def update?
      true
    end
  end
end

and this is the error :

Pundit::NotAuthorizedError in AddressesController#update not allowed to update? this Address

Tom Lord · Accepted Answer · 2020-08-05T08:18:37.127

2

You've defined the update? method within the nested Scope class, but it's supposed to be defined directly in the policy class.

Instead of this:

class AddressPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      scope.all
    end

    def update?
      true
    end
  end
end

You need to do this:

class AddressPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      scope.all
    end
  end

  def update?
    true
  end
end

edited Aug 05 '20 at 08:18

answered Aug 05 '20 at 08:13

Tom Lord

27,404
4
50
77

Your current code must be only calling `ApplicationPolicy#update?`, which must be returning `false`. – Tom Lord Aug 05 '20 at 08:15
Take a look at [the Pundit README](https://github.com/varvet/pundit#scopes), and you'll see how the `resolve` method is expected to be inside it, but these predicate methods are not. – Tom Lord Aug 05 '20 at 08:16
Oh Tom Lord thank you i don't know how i have missed that error ahah :) – Benoît Bargès Aug 05 '20 at 08:25
We've all been there :D – Tom Lord Aug 05 '20 at 08:41

Pundit::NotAuthorizedError / Problem with pundit authorize

1 Answers1