Ruby on Rails Monday, July 17, 2017

While I'm at it ...

WHAT is being "authorize-d"?  The @post ?  The current_user ?  The controller action ?  Something else ?


On Monday, July 17, 2017 at 1:02:11 AM UTC-6, Ralph Shnelvar wrote:
The best explanation I have found for the gestalt of Pundit is 

And yet ... I don't get it.

I can understand each statement in ... but when I get to what the "authorize(@post)" in
def create
@post =[:post])

does ... I don't get it.

I'm trying to put together an English sentence for "authorize(@post)".  Please tell me if I'm close.

means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false

I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create?                      is built from params[:action].  That is, since we know we're in def create then params[:action] must be "create".

How close am I?


You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

No comments:

Post a Comment