[Rails] Help with gestalt of Pundit's authorize, please

Ruby on Rails Monday, July 17, 2017

The best explanation I have found for the gestalt of Pundit is https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ 

And yet ... I don't get it.

I can understand each statement in https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ ... but when I get to what the "authorize(@post)" in
def create
  @post = Post.new(params[:post])
  authorize(@post)
  
end
does ... I don't get it.

I'm trying to put together an English sentence for "authorize(@post)".  Please tell me if I'm close.



authorize(@post)
means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false



I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create?                      is built from params[:action].  That is, since we know we're in def create then params[:action] must be "create".

How close am I?

Ralph

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/c434a226-68b7-4ed3-9a62-eaab7c8ebef6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Posted by Ruby on Rails at 12:02 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)