hot-glue 0.5.19.2 → 0.5.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 016741b47374d4b624bb04c96757bf92ca48bef198ca39ff642d94b571024949
-  data.tar.gz: 91ac3ecd1745958f7df484cb1ad009b63e02891e8f9021e7c7cd062aff7baaf6
+  metadata.gz: 48857d455006404276d88ee9481b21664a413e14403f8432a26cb13fc4351f4a
+  data.tar.gz: d15f7a0d742a7164e0f58c4bd25a620198efed8106c7e36bfeea1a34251d4889
 SHA512:
-  metadata.gz: 32b258df9e7f7d989d7827aa5ed420019bc6283447822f254a01ebfc4dd705dcb2428d73f9685a65ed2e6157b114a38a8395144f351a16144f03b61ecc4c26c7
-  data.tar.gz: e66eea5d26d987815a0583c80e49401a55fefaa59e5a2db503cc7fe488c403103a5699895966e73415dd2ca0de21452022cd1b68445859e8338330376c7aacf0
+  metadata.gz: 916d29b5b2f60c273bf9d0094511d95b39b54f8d57c3b41c251d17dc9b7f918914a6ca529f4eca000461fa7c2b4e2b36f954fb3ee59f0fda8a8ed53038c773e0
+  data.tar.gz: cbddef65679e3dd42d18143d964f3a9ad9ccb25490bfc054d8fd73f23c24d0a74751a8e07c96fc5404792bb6fe553b2d70a6f6fc168ceaf4a39247d96a4d360e

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    hot-glue (0.5.19.1)
+    hot-glue (0.5.19.2)
       ffaker (~> 2.16)
       kaminari (~> 1.2)
       rails (> 5.1)

data/README.md

@@ -75,15 +75,11 @@ For Hot Glue, you will need:
 
 Section #1 is to create a new Rails app. (Or you can do that yourself.)
 
-Section #2 is to setup Rspec, FactoryBot, and Faker.
+Section #2 is to setup Rspec, FactoryBot, and Faker — choose 2B for Rspec0
 
-Section #4 is optional but highly recommended.
+Skip #3 and #4 is optional. #5 is optional but recommended. 
 
-Section #5 is where you will pick a CSS Framework (Bootstrap, Tailwind, or none)
-
-Section #6 is for two support gems (Kaminari) for Hot Glue
-
-Section #7 is for Hot Glue itself
+Sectoin #6 is for Hot Glue itself, and Section #7 is for Kaminari
 
 You will also need section #8 to setup Devise if you want authentication.
 
@@ -645,15 +641,6 @@ This is what would happen if 9 fields, specified in the order A,B,C,D,E,F,G,H,I,
 
 
 
-### `--show-only=`
-(separate field names by COMMA)
-
-Any fields only the 'show-only' list will appear as non-editable on the generated form for both new & edit actions. (visible only)
-
-IMPORTANT: By default, all fields that begin with an underscore (`_`) are automatically show-only.
-
-This is for fields you want globally non-editable by users in your app. For example, a counter cache or other field set only by a backend mechanism.
-
 ### `--modify=field1{...},field2{...}`
 
 
@@ -685,12 +672,92 @@ The available modifiers are:
 | truthy label\|falsy label | specify a binary switch with a pipe (\|) character if the value is truthy, it will display as "truthy label" if the value is falsy, it will display as "falsy label" | boolean, datetime, date, time |   |   |
 |                           |                                                                                                                                                                      |                               |   |   |
 
+### `--pundit`
+If you enable Pundit, your controllers will look for a Policy that matches the name of the thing being built.
+
+**Realtime Field-level Access**
+Hot Glue gives you automatic field level access control if you create `*_able?` methods for each field you'd like to control on your Pundit policy.
+
+(Although this is not what Pundit recommends for field level access control, it has been implemented this way to provide field-by-field user feedback to the user shown in red just like Rails validation errors are currently shown. This is is only hypothetical, because the interface correctly shows the field as viewable or editable anyway, making bad entry only something that could be achieved through a mistake or hacking. Nevertheless, rest assured that if there was a input mistake-- like a user having a field editable when it shouldn't be, the backend policy would guard against the disallowed input and show an error message.)
+
+The `*_able?` method should return true or false depending on whether or not the field can be edited. (No distinction is made between the different contexts. You may check if the record is new using `new_record?`.
+
+The `*_able?` method is used by Hot Glue only on the new and edit actions, but you should incorporate it into the policy's `update?` method as in the example, which will extend other operations since Hot Glue will use the policy to authorize the action
+Add one `*_able?` method to the policy for each field you want to allow field-level access control. 
+
+Replace `*` with the name of the field you want under access control. Remember to include `_id` for foreign keys. You do not need it for any field you don't want under access control.
+
+When the method returns true, the field will be displayed to the user (and allowed) for editing. 
+When the method returns false, the field will be displayed as read-only (viewable) to the user.
+
+Important: These special fields determine *only* display behavior (new and edit), not create and update. 
+
+For create & update field-level access control, you must also implement the `update?` method on the Policy. Notice how in the example policy below, the `update?` method uses the `name_able?` method when it is checking if the name field can be updated, tying the feature together.
+
+You can set Pundit to be enabled globally on the whole project for every build in `config/hot_glue.yml` (then you can leave off the `--pundit` flag from the scaffold command)
+`:pundit_default:` (all builds in that project will use Pundit)
+
+
+Here's an example `ThingPolicy` that would allow **editing the name field** only if:
+• the current user is an admin
+• the sent_at date is nil (meaning it has not been sent yet)
+
+For your policies, copy the `initialize` method of both the outer class (`ThingPolicy`) and the inner class (`Scope`) exactly as shown below.
+
+
+```
+class ThingPolicy < ApplicationPolicy
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+  
+  def name_able?
+    @record.sent_at.nil?
+  end
+  
+  def update?
+     if !@user.is_admin?
+       return false
+    elsif record.name_changed? && !name_able?
+      record.errors.add(:name, "cannot be changed.")
+      return false
+    else
+      return true
+    end
+  end
+  
+  class Scope < Scope
+    attr_reader :user, :scope
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+  end
+end
+```
+
+
+Because Hot Glue detects the `*_able?` methods at build time, if you add them to your policy, you will have to rebuild your scaffold.
+
+
+### `--show-only=`
+(separate field names by COMMA)
+
+• Make this field appear as viewable only all actions. (visible only)
+• When set on this list, it will override any Pundit policy even when Pundit would otherwise allow the access.
+
+IMPORTANT: By default, all fields that begin with an underscore (`_`) are automatically show-only.
+
+This is for fields you want globally non-editable by users in your app. For example, a counter cache or other field set only by a backend mechanism.
 
 
 ### `--update-show-only`
 (separate field names by COMMA)
 
-Fields on the `update show only`  (and not on the `show only` list) will appear as non-editible only for the **edit** action, but will still allow entry for the **create** action.
+• Make this field appear as viewable only for the edit action (and not allowed in the update action). 
+• When set on this list, it will override any Pundit policy for edit/update actions even when Pundit would otherwise allow the access.
+
 
 Note that Hot Glue still generates a singular partial (`_form`) for both actions, but your form will now contain statements like:
 
@@ -705,6 +772,35 @@ Note that Hot Glue still generates a singular partial (`_form`) for both actions
 This works for both regular fields, association fields, and alt lookup fields.
 
 
+When mixing the show only, update show only, and Pundit features, notice that the show only + update show only will act to override whatever the policy might say.
+
+Remember, the show only list is specified using `--show-only` and the update show only list is specified using `--update-show-only`.
+
+'Viewable' means it displays as view-only (not editable) even on the form. In this context, 'viewable' means 'read-only'. It does not mean 'visible'. 
+
+That's because when the field is **not viewable**, then it is editable or inputable. This may seem counter-intuitive for a standard interpretation of the word 'viewable,' but consider that Hot Glue has been carefully designed this way. If you do not want the field to appear at all, then you simply remove it using the exclude list or don't specify it in your include list. If the field is being built at all, Hot Glue assumes your users want to see or edit it. Other special cases are beyond the scope of Hot Glue but can easily be added using direct customization of the code. 
+
+Without Pundit:
+|                                          | on new screen | on edit screen |
+|------------------------------------------|---------------|----------------|
+| for a field on the show only list        | viewable      | viewable       |
+| for a field on the update show only list | inputable     | viewable       |
+| for all other fields                     | inputable     | inputable      |
+
+
+With Pundit:
+|                                          | on new screen | on edit screen |
+|------------------------------------------|---------------|----------------|
+| for a field on the show only list        | viewable      | viewable       |
+| for a field on the update show only list | check policy  | viewable       |
+| for all other fields                     | check policy  | check policy   |
+|                                          |               |                |
+
+Remember, if there's a corresponding `*_able?` method on the policy, it will be used to determine if the field is **editable** or not in the cases where 'check policy' is above.
+(where `*` is the name of your field)
+
+As shown in the method `name_able?` of the example ThingPolicy above, if this field on your policy returns true, the field will be editable. If it returns false, the field will be viewable (read-only).
+
 
 ### `--ujs_syntax=true` (Default is set automatically based on whether you have turbo-rails installed)
 
@@ -1300,6 +1396,12 @@ end
 
 # VERSION HISTORY
 
+#### 2023-09-08 - v0.5.20
+`--pundit` authorization
+• Will look for a `XyzPolicy` class and method on your class named `*_able?` matching the fields on your object. See Pundit section for details.
+• Field-level access control (can determine which fields are editble or viewable based on the record or current user or combination factors)
+• The field-level access control doesn't show the fields as editable to the user if they can't be edited by the user (it shows them as view-only). 
+
 #### 2023-09-02 - v0.5.19
 
 Given a table generated with this schema:

data/lib/generators/hot_glue/fields/association_field.rb

@@ -116,7 +116,7 @@ class AssociationField < Field
 
   def form_show_only_output
     assoc_name = name.to_s.gsub("_id","")
-    assoc = eval("#{singular_class}.reflect_on_association(:#{assoc_name})")
+    assoc = eval("#{class_name}.reflect_on_association(:#{assoc_name})")
     if assoc.nil?
       exit_message = "*** Oops. on the #{singular_class} object, there doesn't seem to be an association called '#{assoc_name}'"
       exit

data/lib/generators/hot_glue/fields/date_time_field.rb

@@ -37,7 +37,7 @@ class DateTimeField < Field
     "<%= datetime_field_localized(f, :#{name}, #{singular}.#{name}, '#{ name.to_s.humanize }') %>"
   end
 
-  def line_field_output
+  def viewable_output
     if modify_binary?
       modified_display_output
     else

data/lib/generators/hot_glue/fields/field.rb

@@ -115,7 +115,7 @@ class Field
   end
 
   def modified_display_output
-    if  modify[:cast] && modify[:cast] == "$"
+    if modify[:cast] && modify[:cast] == "$"
       "<%= number_to_currency(#{singular}.#{name}) %>"
     elsif modify[:binary]
       "<%= #{singular}.#{name} ? '#{modify[:binary][:truthy]}' : '#{modify[:binary][:falsy]}' %>"

data/lib/generators/hot_glue/markup_templates/erb.rb

@@ -8,7 +8,7 @@ module  HotGlue
                   :inline_list_labels, :layout_object,
                   :columns,  :col_identifier, :singular,
                   :form_placeholder_labels, :hawk_keys, :update_show_only,
-                  :alt_lookups, :attachments, :show_only, :columns_map
+                  :alt_lookups, :attachments, :show_only, :columns_map, :pundit
 
 
       def initialize(singular:, singular_class: ,
@@ -17,7 +17,7 @@ module  HotGlue
                    ownership_field: , form_labels_position: ,
                    inline_list_labels: ,
                    form_placeholder_labels:, hawk_keys: ,
-                   update_show_only:, alt_lookups: , attachments: , columns_map: )
+                   update_show_only:, alt_lookups: , attachments: , columns_map:, pundit: )
 
       @singular = singular
       @singular_class = singular_class
@@ -28,6 +28,7 @@ module  HotGlue
       @small_buttons = small_buttons
       @layout_strategy = layout_strategy
       @show_only = show_only
+      @pundit = pundit
       @ownership_field = ownership_field
 
       @form_labels_position = form_labels_position
@@ -81,30 +82,34 @@ module  HotGlue
       result = columns.map{ |column|
         "  <div class='#{column_classes} cell--#{singular}--#{column.join("-")}' >" +
           column.map { |col|
-            field_result = show_only.include?(col.to_sym) ?
-                             columns_map[col].form_show_only_output :
-                             columns_map[col].form_field_output
 
             field_error_name = columns_map[col].field_error_name
 
-
             label_class = columns_map[col].label_class
             label_for = columns_map[col].label_for
 
             the_label = "\n<label class='#{label_class}' for='#{label_for}'>#{col.to_s.humanize}</label>"
-            show_only_open = ""
-            show_only_close = ""
 
-            if update_show_only.include?(col)
-              show_only_open = "<% if action_name == 'edit' %>" +
-                show_only_result(type: type, col: col, singular: singular) + "<% else %>"
-              show_only_close = "<% end %>"
-            end
+
+            field_result =
+              if show_only.include?(col)
+                columns_map[col].form_show_only_output
+              elsif update_show_only.include?(col) && !@pundit
+                "<% if action_name == 'edit' %>" + columns_map[col].form_show_only_output + "<% else %>" + columns_map[col].form_field_output + "<% end %>"
+              elsif update_show_only.include?(col) && @pundit && eval("defined? #{singular_class}Policy") && eval("#{singular_class}Policy").instance_methods.include?("#{col}_able?".to_sym)
+                "<% if action_name == 'create' && policy(@#{singular}).#{col}_able? %>" + columns_map[col].form_show_only_output + "<% else %>" + columns_map[col].form_field_output + "<% end %>"
+
+                             # show only on the update action overrides any pundit policy
+            elsif @pundit && eval("defined? #{singular_class}Policy") && eval("#{singular_class}Policy").instance_methods.include?("#{col}_able?".to_sym)
+              "<% if policy(@#{singular}).#{col}_able? %>" + columns_map[col].form_field_output + "<% else %>" + columns_map[col].form_show_only_output  + "<% end %>"
+            else
+              columns_map[col].form_field_output
+                           end
 
             add_spaces_each_line( "\n  <span class='<%= \"alert-danger\" if #{singular}.errors.details.keys.include?(:#{field_error_name}) %>'  #{'style="display: inherit;"'}  >\n" +
                                     add_spaces_each_line( (form_labels_position == 'before' ? the_label : "") +
-                                                            show_only_open + field_result + show_only_close +
-                                                            (form_labels_position == 'after' ? the_label : "")   , 4) +
+                                                        +  field_result +
+                                        (form_labels_position == 'after' ? the_label : "")   , 4) +
                                     "\n  </span>\n  <br />", 2)
 
           }.join("") + "\n  </div>"

data/lib/generators/hot_glue/scaffold_generator.rb

@@ -21,7 +21,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
                 :display_as, :downnest_children, :downnest_object, :hawk_keys, :layout_object, :modify,
                 :nest_with, :path, :plural, :sample_file_path, :show_only_data, :singular,
                 :singular_class, :smart_layout, :stacked_downnesting, :update_show_only, :ownership_field,
-                :layout_strategy, :form_placeholder_labels, :form_labels_position
+                :layout_strategy, :form_placeholder_labels, :form_labels_position, :pundit
 
   class_option :singular, type: :string, default: nil
   class_option :plural, type: :string, default: nil
@@ -81,6 +81,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   class_option :button_icons, default: nil
   class_option :modify, default: {}
   class_option :display_as, default: {}
+  class_option :pundit, default: nil
 
   def initialize(*meta_args)
     super
@@ -295,6 +296,12 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
     @display_list_after_update = options['display_list_after_update'] || false
     @smart_layout = options['smart_layout']
 
+    @pundit = options['pundit']
+    if @pundit.nil?
+      @pundit = get_default_from_config(key: :pundit_default)
+    end
+
+
     if options['include'].include?(":") && @smart_layout
       raise HotGlue::Error, "You specified both --smart-layout and also specified grouping mode (there is a : character in your field include list); you must remove the colon(s) from your --include tag or remove the --smart-layout option"
     end
@@ -443,7 +450,8 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
         form_placeholder_labels: @form_placeholder_labels,
         alt_lookups: @alt_lookups,
         attachments: @attachments,
-        columns_map: @columns_map
+        columns_map: @columns_map,
+        pundit: @pundit,
       )
     elsif @markup == "slim"
       raise(HotGlue::Error, "SLIM IS NOT IMPLEMENTED")
@@ -806,7 +814,8 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
       show_only_list = which_partial == :create ? @show_only : (@update_show_only + @show_only)
 
       if show_only_list.include?(col)
-        "      page.should have_no_selector(:css, \"[name='#{testing_name}[#{ col.to_s }]'\")"
+        # TODO: decide if this should get re-implemeneted
+        # "      page.should have_no_selector(:css, \"[name='#{testing_name}[#{ col.to_s }]'\")"
       else
         col_obj.spec_setup_and_change_act(which_partial)
       end

data/lib/generators/hot_glue/templates/controller.rb.erb

@@ -65,21 +65,29 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
     @<%= singular_name %> = (<%= auth_object.gsub("@",'') %><%= " if params.include?(:#{@nested_set[0][:singular]}_id)" if @nested_set.any? && @nested_set[0][:optional] %>)<% if @nested_set.any? && @nested_set[0][:optional] %> || <%= class_name %>.find(params[:id])<% end %>
   end<% end %>
 
-  def load_all_<%= plural %><% if !@self_auth %>
+  def load_all_<%= plural %><% if @pundit %>
+    @<%= plural_name %> =  policy_scope(<%= class_name %>).page(params[:page])<%= n_plus_one_includes %>
+    authorize @<%= plural_name %>.all<% else %> <% if !@self_auth %>
     @<%= plural_name %> = <%= object_scope.gsub("@",'') %>.page(params[:page])<%= n_plus_one_includes %><%= " if params.include?(:#{ @nested_set.last[:singular]}_id)" if @nested_set.any? && @nested_set[0] &&  @nested_set[0][:optional] %><% if @nested_set[0] &&  @nested_set[0][:optional] %>
     @<%= plural_name %> = <%= class_name %>.all<% end %><% else %>
     @<%= plural_name %> = <%= class_name %>.where(id: <%= auth_object.gsub("@",'') %>.id)<%= n_plus_one_includes %> # returns iterable even though this <%= singular_name %> is only allowed access to themselves<% end %>
+    <% end %>
   end
 
   def index
-    load_all_<%= plural %>
+    load_all_<%= plural %><% if @pundit %>
+  rescue Pundit::NotAuthorizedError
+    flash[:alert] = "You are not authorized to perform this action."<% end %>
   end
 
 <% if create_action %>  def new<% if @object_owner_sym %>
-    @<%= singular_name %> = <%= class_name  %>.new(<%  if eval("#{class_name}.reflect_on_association(:#{@object_owner_sym})").class == ActiveRecord::Reflection::BelongsToReflection  %><%= @object_owner_sym %>: <%= @object_owner_eval %><% end %>)<% elsif @object_owner_optional && any_nested? %>
-    @<%= singular_name %> = <%= class_name  %>.new({}.merge(<%= @nested_set.last[:singular] %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}))<% else %>
-    @<%= singular_name %> = <%= class_name  %>.new(<% if any_nested? %><%= @object_owner_sym %>: <%= @object_owner_eval %><% end %>)
-   <% end %>
+    @<%= singular_name %> = <% if @pundit %>policy_scope(<% end %><%= class_name %><% if @pundit %>)<% end %>.new(<%  if eval("#{class_name}.reflect_on_association(:#{@object_owner_sym})").class == ActiveRecord::Reflection::BelongsToReflection  %><%= @object_owner_sym %>: <%= @object_owner_eval %><% end %>)<% elsif @object_owner_optional && any_nested? %>
+    @<%= singular_name %> = <% if @pundit %>policy_scope(<% end %><%= class_name  %><% if @pundit %>)<% end %>.new({}.merge(<%= @nested_set.last[:singular] %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}))<% else %>
+    @<%= singular_name %> = <% if @pundit %>policy_scope(<% end %><%= class_name  %><% if @pundit %>)<% end %>.new(<% if any_nested? %><%= @object_owner_sym %>: <%= @object_owner_eval %><% end %>)<% end %>
+    <% if @pundit %>authorize @<%= singular_name %><% end %><% if @pundit %>
+  rescue Pundit::NotAuthorizedError
+    flash[:alert] = "You are not authorized to perform this action."
+    render :index<% end %>
   end
 
   def create
@@ -106,12 +114,18 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
     else
       flash[:alert] = "Oops, your <%= singular_name %> could not be created. #{@hawk_alarm}"
       render :create, status: :unprocessable_entity
-    end
+    end<% if @pundit %>
+  rescue Pundit::NotAuthorizedError
+    flash[:alert] = "Creating <%= singular %> not authorized. #{@<%= singular %>.errors.collect{|k| "#{k.attribute} #{k.message}"}.join(" ")} #{flash[:notice]} "
+    render :index <% end %>
   end
 
 <% end %>
 <% unless @no_edit %>  def edit
-    render :edit
+    render :edit<% if @pundit %>
+  rescue Pundit::NotAuthorizedError
+    flash[:alert] = "Editing #{@<%= singular %>.<%= display_class %>} not authorized."
+    render :index <% end %>
   end
 
 <% end %><% if @build_update_action %>  def update
@@ -120,7 +134,7 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
        }.join("\n") %><% end %> <% merge_lookups = @alt_lookups.filter{|key,d| ! @update_show_only.include?(key.to_sym) }.collect{|key, data| "#{key.gsub("_id", "")}: #{key.gsub("_id", "")}" }.join(",") %>
     <% @magic_buttons.each { |button| %>@<%= singular_name %>.<%= button %>! if <%= singular_name %>_params[:__<%= button %>]
     <% } %>
-    modified_params = modify_date_inputs_on_params(<%= singular_name %>_params.dup<%= controller_update_params_tap_away_alt_lookups  %>, <%= current_user_object %>, <%= datetime_fields_list %>) <% if @object_owner_sym &&  eval("#{class_name}.reflect_on_association(:#{@object_owner_sym})").class == ActiveRecord::Reflection::BelongsToReflection  %>
+    modified_params = modify_date_inputs_on_params(<% if @update_show_only %>update_<% end %><%= singular_name %>_params.dup<%= controller_update_params_tap_away_alt_lookups  %>, <%= current_user_object %>, <%= datetime_fields_list %>) <% if @object_owner_sym &&  eval("#{class_name}.reflect_on_association(:#{@object_owner_sym})").class == ActiveRecord::Reflection::BelongsToReflection  %>
     modified_params = modified_params.merge(<%= @object_owner_sym %>: <%= @object_owner_eval %>) <% elsif @object_owner_optional && any_nested? %>
     modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif !@object_owner_eval.empty? %>
     modified_params = modified_params.merge(<%= @object_owner_eval %>) <% end %><%  if !merge_lookups.empty?  %>
@@ -136,7 +150,13 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
       <%= @update_alt_lookups.collect{|key, data|
    "    @#{ singular_name }.#{key.gsub("_id", "")} = #{key.gsub("_id", "")}"
    }.join("/n") %><% end %><%= controller_attachment_orig_filename_pickup_syntax %>
+    <% if @pundit %>
+    if @<%= singular_name %>.attributes = modified_params
+        authorize @<%= singular_name %>
+        @<%= singular_name %>.save
+    <% else %>
     if @<%= singular_name %>.update(modified_params)
+    <% end %>
       <% if @display_list_after_update %>    load_all_<%= plural %><% end %>
       flash[:notice] = "#{flash[:notice]} Saved #{@<%= singular %>.<%= display_class %>}"
       flash[:alert] = @hawk_alarm if @hawk_alarm
@@ -144,22 +164,33 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
     else
       flash[:alert] = "#{flash[:notice]} <%= singular_name.titlecase %> could not be saved. #{@hawk_alarm}"
       render :update, status: :unprocessable_entity
-    end
+    end<% if @pundit %>
+  rescue Pundit::NotAuthorizedError
+    flash[:alert] = "Updating #{@<%= singular_name %>.<%= display_class %>} not authorized. "
+    render :update<% end %>
   end
 
 <% end %><% if destroy_action %>  def destroy
+    <% if @pundit %>authorize @<%= singular_name %><% end %>
     begin
       @<%=singular_name%>.destroy
       flash[:notice] = '<%= singular_name.titlecase %> successfully deleted'
     rescue StandardError => e
       flash[:alert] = '<%= singular_name.titlecase %> could not be deleted'
     end <%= post_action_parental_updates %>
-    load_all_<%= plural %>
+    load_all_<%= plural %><% if @pundit %>
+  rescue Pundit::NotAuthorizedError
+    flash[:alert] = "Deleting #{@<%= singular_name %>.<%= display_class %>} not authorized. "
+    render :update<% end %>
   end<% end %>
 
   def <%=singular_name%>_params
-    params.require(:<%= testing_name %>).permit(<%= (fields_filtered_for_email_lookups - @show_only) + @magic_buttons.collect{|x| "__#{x}".to_sym }%>)
-  end
+    params.require(:<%= testing_name %>).permit(<%= (fields_filtered_for_email_lookups - @show_only ) + @magic_buttons.collect{|x| "__#{x}".to_sym }%>)
+  end<% if @update_show_only %>
+
+  def update_<%=singular_name%>_params
+    params.require(:<%= testing_name %>).permit(<%= (fields_filtered_for_email_lookups - @update_show_only) + @magic_buttons.collect{|x| "__#{x}".to_sym }%>)
+  end<% end %>
 
   def namespace
     <% if @namespace %>'<%= @namespace %>/'<% else %><% end %>

data/lib/hotglue/version.rb

@@ -1,5 +1,5 @@
 module HotGlue
   class Version
-    CURRENT = '0.5.19.2'
+    CURRENT = '0.5.20'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hot-glue
 version: !ruby/object:Gem::Version
-  version: 0.5.19.2
+  version: 0.5.20
 platform: ruby
 authors:
 - Jason Fleetwood-Boldt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-04 00:00:00.000000000 Z
+date: 2023-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails