1

I recently started using the Pundit gem for authorization in my Rails app. In my app I have models for Company, each Company can have multiple Employees, this is done through a has many through relationship:

# company.rb
has_many :employees, dependent: :destroy
has_many :users, through: :employees

# employee.rb
belongs_to :company

# user ...

Employees can either be published or not published. In my view for listing company employees, I want to only display published employees for regular users, but other employees of a given company should see all employees for that company.

In my employees_controller#index I have a solution that currently looks like this:

def index
  @employees = if current_user.is_employee?(@company)
                 @company.employees.all
               else
                 @company.employees.select { |employee|   employee.published == true }
               end
end

This works, but I'm trying to understand how to utilise Pundits scopes to achieve the same.

Pseudo code for a Pundit Scope (that's clearly not working, but gives an example of what I want to achieve):

# EmployeePolicy
class Scope
  def initialize(user, scope)
    @user = user
    @scope = scope
  end

  def resolve
    if user.is_employee?(...) # can't get company from scope
      scope.all
    else
      scope.where(published: true)
    end
  end
end

I've seen some examples of using joins to achieve this, but that seems a bit cumbersome, is there some other recommended way to achieve this using Pundit?

Anders
  • 2,903
  • 7
  • 58
  • 114

1 Answers1

1
# app/models/user.rb
class User < ApplicationRecord
  has_many :employees, dependent: :destroy
  has_many :companies, through: :employees
end

# app/models/employee.rb
class Employee < ApplicationRecord
  belongs_to :company
  belongs_to :user
end

# app/models/company.rb
class Company < ApplicationRecord
  has_many :employees, dependent: :destroy
  has_many :users, through: :employees
end

Company.create!(name: "one", users: [User.new, User.new])
Company.create!(name: "two", users: [User.new, User.new])
Employee.find(3).update(published: true)

>> Employee.all.as_json
=> [{"id"=>1, "published"=>nil,  "company_id"=>1, "user_id"=>1},
    {"id"=>2, "published"=>nil,  "company_id"=>1, "user_id"=>2},
    {"id"=>3, "published"=>true, "company_id"=>2, "user_id"=>3},
    {"id"=>4, "published"=>nil,  "company_id"=>2, "user_id"=>4}]

# app/policies/employee_policy.rb

class EmployeePolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      scope.where(company: user.company_ids).or(
        scope.where(published: true)
      )
    end
  end
end

User #1 can see every employee from company #1 and only published from company #2:

>> Pundit.policy_scope(User.first, Employee).as_json
=> [{"id"=>1, "published"=>nil,  "company_id"=>1, "user_id"=>1},
    {"id"=>2, "published"=>nil,  "company_id"=>1, "user_id"=>2},
    {"id"=>3, "published"=>true, "company_id"=>2, "user_id"=>3}]

User from company #2 can't see other company employees:

>> Pundit.policy_scope(User.third, Employee).as_json
=> [{"id"=>3, "published"=>true, "company_id"=>2, "user_id"=>3},
    {"id"=>4, "published"=>nil,  "company_id"=>2, "user_id"=>4}]

Scope that is not related to authorization should be applied in a controller:

>> employee_scope = Pundit.policy_scope(User.first, Employee)

>> employee_scope.where(company: Company.first).as_json
=> [{"id"=>1, "published"=>nil, "company_id"=>1, "user_id"=>1},
    {"id"=>2, "published"=>nil, "company_id"=>1, "user_id"=>2}]

# user #1 authorization to see their own company employees didn't change
# just currently looking at the other company
>> employee_scope.where(company: Company.second).as_json
=> [{"id"=>3, "published"=>true, "company_id"=>2, "user_id"=>3}]
Alex
  • 16,409
  • 6
  • 40
  • 56