Using an instance of Pundit per request…? #774
Replies: 3 comments 1 reply
-
This would probably affect #746 too. |
Beta Was this translation helpful? Give feedback.
-
Quick TakeThis approach makes a lot of sense to me. I appreciate the way you're tying together the contextual information for use through the lifecycle of the request while still providing the ability to override as needed. The Biggest Question:
Confirm My UnderstandingLet's see if I understand how this would affect a straightforward case and my previous override case. Straightforward CaseThere's really no simple right! 😄 In the typical case, I imagine your approach could be implemented with no change to user's code/experience right? Pundit would mixin a default class PostsController < ApplicationController
def show
@post = Post.find(params[:id])
authorize @post
end
end Override CaseIn the more complex case, user's could implement their own class ComplexPostsController < ApplicationController
def pundit
@pundit ||= Pundit::Context.new(
user: pundit_user,
policy_class: SpecialPostPolicy # <--- continue supporting user's providing a specific `policy_class`?
)
end
def show
@post = Post.find(params[:id])
authorize @post
end
end <%# Now this WILL USE `SpecialPostPolicy` because `policy` is driven by the overriden `def pundit` %>
<% if policy(@post).update? %>
<%= link_to "Edit post", edit_post_path(@post) %>
<% end %> Final Thoughts@Burgestrand: I think this approach has promise. For me, this has enough merit to warrant working through a rough PR to see if real code would show cracks in this theory. The devil is in the details right 🦉 😆 ? I've been out of Pundit details for a couple years now. I wish I could commit to working that up a PR for you, but I don't want to offer that and not follow through. If you think this concept is the direction the project should go I could probably get excited to work with you or someone on it though. |
Beta Was this translation helpful? Give feedback.
-
@mattzollinhofer that's a great writeup! I'll read it through in detail some time later. I just wanted to let you know I've got a draft up: #797 |
Beta Was this translation helpful? Give feedback.
-
Hi!
I wanted to let you weight in on a very rough idea that's been simmering in my mind the past few months.
Today we are:
Pundit.authorize
policy_class
, similar to what's discussed in Re-use policy instance when passing explicit policy class? #740authorize
andpolicy
no longer share a connection, making it necessary to override both in certain situationsI'm wondering if we can move past the above points by having an contextual Pundit object that tie these things together. The following example is not complete, but I'm hoping it will give a good sense of what I'm after.
The context wouldn't be doing much. Mostly it would be aware of itself and the collaborators we have going on, delegating most of the work to them.
There are some key points to take away:
Pundit::Authorization
things more concreteI'm not sure this will actually fix all issues. It's a response to me feeling that when we refactored
authorize
toPundit.authorize
we lost some contextual information, which we tried to make up for by making them parameteric onPundit.authorize
.Beta Was this translation helpful? Give feedback.
All reactions